<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1,shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href='/theme/favicon.ico' type='image/x-icon'> <title>Credentials from Password Stores: Credentials from Web Browsers, Sub-technique T1555.003 - Enterprise | MITRE ATT&CK&reg;</title> <!-- USWDS CSS --> <!-- Bootstrap CSS --> <link rel='stylesheet' href='/theme/style/bootstrap.min.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-tourist.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-select.min.css' /> <!-- Fontawesome CSS --> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/fontawesome.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/brands.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/solid.min.css"/> <link rel="stylesheet" type="text/css" href="/theme/style.min.css?6689c2db"> </head> <body> <div class="container-fluid attack-website-wrapper d-flex flex-column h-100"> <div class="row sticky-top flex-grow-0 flex-shrink-1"> <!-- header elements --> <header class="col px-0"> <nav class='navbar navbar-expand-lg navbar-dark position-static'> <a class='navbar-brand' href='/'><img src="/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/matrices/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Matrices</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/matrices/enterprise/">Enterprise</a> <a class="dropdown-item" href="/matrices/mobile/">Mobile</a> <a class="dropdown-item" href="/matrices/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/tactics/mobile/">Mobile</a> <a class="dropdown-item" href="/tactics/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/techniques/mobile/">Mobile</a> <a class="dropdown-item" href="/techniques/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/datasources" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Defenses</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/datasources">Data Sources</a> <div class="dropright dropdown"> <a class="dropdown-item dropdown-toggle" href="/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/mitigations/mobile/">Mobile</a> <a class="dropdown-item" href="/mitigations/ics/">ICS</a> </div> </div> <a class="dropdown-item" href="/assets">Assets</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/groups" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>CTI</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/groups">Groups</a> <a class="dropdown-item" href="/software">Software</a> <a class="dropdown-item" href="/campaigns">Campaigns</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/resources/">Get Started</a> <a class="dropdown-item" href="/resources/learn-more-about-attack/">Learn More about ATT&CK</a> <a class="dropdown-item" href="/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/resources/attack-data-and-tools/">ATT&CK Data & Tools</a> <a class="dropdown-item" href="/resources/faq/">FAQ</a> <a class="dropdown-item" href="/resources/engage-with-attack/contact/">Engage with ATT&CK</a> <a class="dropdown-item" href="/resources/versions/">Version History</a> <a class="dropdown-item" href="/resources/legal-and-branding/">Legal & Branding</a> </div> </li> <li class="nav-item"> <a href="/resources/engage-with-attack/benefactors/" class="nav-link" ><b>Benefactors</b></a> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b>&nbsp; <img src="/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div id="search-icon" class="icon-button search-icon"></div></button> </li> </ul> </div> </nav> </header> </div> <div class="row flex-grow-0 flex-shrink-1"> <!-- banner elements --> <div class="col px-0"> <!-- don't edit or remove the line below even though it's commented out, it gets parsed and replaced by the versioning feature --> <!-- !versions banner! --> <div class="container-fluid banner-message"> ATT&CK v16 has been released! Check out the <a href='https://medium.com/mitre-attack/attack-v16-561c76af94cf'>blog post</a> for more information. </div> </div> </div> <div class="row flex-grow-1 flex-shrink-0"> <!-- main content elements --> <!--start-indexing-for-search--> <div class="sidebar nav sticky-top flex-column pr-0 pt-4 pb-3 pl-3" id="v-tab" role="tablist" aria-orientation="vertical"> <div class="resizer" id="resizer"></div> <!--stop-indexing-for-search--> <div id="sidebars"></div> <!--start-indexing-for-search--> </div> <div class="tab-content col-xl-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/">Home</a></li> <li class="breadcrumb-item"><a href="/techniques/enterprise">Techniques</a></li> <li class="breadcrumb-item"><a href="/techniques/enterprise">Enterprise</a></li> <li class="breadcrumb-item"><a href="/techniques/T1555">Credentials from Password Stores</a></li> <li class="breadcrumb-item">Credentials from Web Browsers</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <h1 id=""> <span id="subtechnique-parent-name">Credentials from Password Stores:</span> Credentials from Web Browsers </h1> <div class="row"> <div class="col-md-8"> <!--stop-indexing-for-search--> <div class="card-block pb-2"> <div class="card"> <div class="card-header collapsed" id="subtechniques-card-header" data-toggle="collapse" data-target="#subtechniques-card-body" aria-expanded="false" aria-controls="subtechniques-card-body"> <h5 class="mb-0" id ="sub-techniques">Other sub-techniques of Credentials from Password Stores (6)</h5> </div> <div id="subtechniques-card-body" class="card-body p-0 collapse" aria-labelledby="subtechniques-card-header"> <table class="table table-bordered"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> </tr> </thead> <tbody> <tr> <td> <a href="/techniques/T1555/001/" class="subtechnique-table-item" data-subtechnique_id="T1555.001"> T1555.001 </a> </td> <td> <a href="/techniques/T1555/001/" class="subtechnique-table-item" data-subtechnique_id="T1555.001"> Keychain </a> </td> </tr> <tr> <td> <a href="/techniques/T1555/002/" class="subtechnique-table-item" data-subtechnique_id="T1555.002"> T1555.002 </a> </td> <td> <a href="/techniques/T1555/002/" class="subtechnique-table-item" data-subtechnique_id="T1555.002"> Securityd Memory </a> </td> </tr> <tr> <td class="active"> T1555.003 </td> <td class="active"> Credentials from Web Browsers </td> </tr> <tr> <td> <a href="/techniques/T1555/004/" class="subtechnique-table-item" data-subtechnique_id="T1555.004"> T1555.004 </a> </td> <td> <a href="/techniques/T1555/004/" class="subtechnique-table-item" data-subtechnique_id="T1555.004"> Windows Credential Manager </a> </td> </tr> <tr> <td> <a href="/techniques/T1555/005/" class="subtechnique-table-item" data-subtechnique_id="T1555.005"> T1555.005 </a> </td> <td> <a href="/techniques/T1555/005/" class="subtechnique-table-item" data-subtechnique_id="T1555.005"> Password Managers </a> </td> </tr> <tr> <td> <a href="/techniques/T1555/006/" class="subtechnique-table-item" data-subtechnique_id="T1555.006"> T1555.006 </a> </td> <td> <a href="/techniques/T1555/006/" class="subtechnique-table-item" data-subtechnique_id="T1555.006"> Cloud Secrets Management Stores </a> </td> </tr> </tbody> </table> </div> </div> </div> <!--start-indexing-for-search--> <div class="description-body"> <p>Adversaries may acquire credentials from web browsers by reading files specific to the target browser.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019."data-reference="Talos Olympic Destroyer 2018">^{<a href="https://blog.talosintelligence.com/2018/02/olympic-destroyer.html" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span> Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.</p><p>For example, on Windows systems, encrypted credentials may be obtained from Google Chrome by reading a database file, <code>AppData\Local\Google\Chrome\User Data\Default\Login Data</code> and executing a SQL query: <code>SELECT action_url, username_value, password_value FROM logins;</code>. The plaintext password can then be obtained by passing the encrypted credentials to the Windows API function <code>CryptUnprotectData</code>, which uses the victim’s cached logon credentials as the decryption key.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Microsoft. (2018, April 12). CryptUnprotectData function. Retrieved June 18, 2019."data-reference="Microsoft CryptUnprotectData April 2018">^{<a href="https://docs.microsoft.com/en-us/windows/desktop/api/dpapi/nf-dpapi-cryptunprotectdata" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p><p>Adversaries have executed similar procedures for common web browsers such as FireFox, Safari, Edge, etc.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Proofpoint. (2018, May 10). New Vega Stealer shines brightly in targeted campaign . Retrieved June 18, 2019."data-reference="Proofpoint Vega Credential Stealer May 2018">^{<a href="https://www.proofpoint.com/us/threat-insight/post/new-vega-stealer-shines-brightly-targeted-campaign" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span><span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Swapnil Patil, Yogesh Londhe. (2017, July 25). HawkEye Credential Theft Malware Distributed in Recent Phishing Campaign. Retrieved June 18, 2019."data-reference="FireEye HawkEye Malware July 2017">^{<a href="https://www.fireeye.com/blog/threat-research/2017/07/hawkeye-malware-distributed-in-phishing-campaign.html" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span> Windows stores Internet Explorer and Microsoft Edge credentials in Credential Lockers managed by the <a href="/techniques/T1555/004">Windows Credential Manager</a>.</p><p>Adversaries may also acquire credentials by searching web browser process memory for patterns that commonly match credentials.<span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Jamieson O'Reilly (putterpanda). (2016, July 4). mimikittenz. Retrieved June 20, 2019."data-reference="GitHub Mimikittenz July 2016">^{<a href="https://github.com/putterpanda/mimikittenz" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span></p><p>After acquiring credentials from web browsers, adversaries may attempt to recycle the credentials across different systems and/or accounts in order to expand access. This can result in significantly furthering an adversary's objective in cases where credentials gained from web browsers overlap with privileged accounts (e.g. domain administrator).</p> </div> </div> <div class="col-md-4"> <div class="card"> <div class="card-body"> <div class="row card-data" id="card-id"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">ID:&nbsp;</span>T1555.003 </div> </div> <!--stop-indexing-for-search--> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Sub-technique of:&nbsp;</span> <a href="/techniques/T1555">T1555</a> </div> </div> <!--start-indexing-for-search--> <div id="card-tactics" class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The tactic objectives that the (sub-)technique can be used to accomplish">&#9432;</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Tactic:</span> <a href="/tactics/TA0006">Credential Access</a> </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The system an adversary is operating within; could be an operating system or application">&#9432;</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Platforms:&nbsp;</span>Linux, Windows, macOS </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Contributors:&nbsp;</span>Barry Shteiman, Exabeam; RedHuntLabs, @redhuntlabs; Ryan Benson, Exabeam; Sylvain Gil, Exabeam </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Version:&nbsp;</span>1.2 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Created:&nbsp;</span>12 February 2020 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Last Modified:&nbsp;</span>15 August 2024 </div> </div> </div> </div> <div class="text-center pt-2 version-button live"> <div class="live"> <a data-toggle="tooltip" data-placement="bottom" title="Permalink to this version of T1555.003" href="/versions/v16/techniques/T1555/003/" data-test-ignore="true">Version Permalink</a> </div> <div class="permalink"> <a data-toggle="tooltip" data-placement="bottom" title="Go to the live version of T1555.003" href="/versions/v16/techniques/T1555/003/" data-test-ignore="true">Live Version</a><!--do not change this line without also changing versions.py--> </div> </div> </div> </div> <h2 class="pt-3" id ="examples">Procedure Examples</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> <a href="/software/S0331"> S0331 </a> </td> <td> <a href="/software/S0331"> Agent Tesla </a> </td> <td> <p><a href="/software/S0331">Agent Tesla</a> can gather credentials from a number of browsers.<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="Arsene, L. (2020, April 21). Oil & Gas Spearphishing Campaigns Drop Agent Tesla Spyware in Advance of Historic OPEC+ Deal. Retrieved May 19, 2020."data-reference="Bitdefender Agent Tesla April 2020">^{<a href="https://labs.bitdefender.com/2020/04/oil-gas-spearphishing-campaigns-drop-agent-tesla-spyware-in-advance-of-historic-opec-deal/" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/groups/G0130"> G0130 </a> </td> <td> <a href="/groups/G0130"> Ajax Security Team </a> </td> <td> <p><a href="/groups/G0130">Ajax Security Team</a> has used FireMalv custom-developed malware, which collected passwords from the Firefox browser storage.<span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="Check Point Software Technologies. (2015). ROCKET KITTEN: A CAMPAIGN WITH 9 LIVES. Retrieved March 16, 2018."data-reference="Check Point Rocket Kitten">^{<a href="https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0022"> G0022 </a> </td> <td> <a href="/groups/G0022"> APT3 </a> </td> <td> <p><a href="/groups/G0022">APT3</a> has used tools to dump passwords from browsers.<span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" title="Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016."data-reference="Symantec Buckeye">^{<a href="http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0064"> G0064 </a> </td> <td> <a href="/groups/G0064"> APT33 </a> </td> <td> <p><a href="/groups/G0064">APT33</a> has used a variety of publicly available tools like <a href="/software/S0349">LaZagne</a> to gather credentials.<span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" title="Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019."data-reference="Symantec Elfin Mar 2019">^{<a href="https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a>}</span><span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019."data-reference="FireEye APT33 Guardrail">^{<a href="https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0067"> G0067 </a> </td> <td> <a href="/groups/G0067"> APT37 </a> </td> <td> <p><a href="/groups/G0067">APT37</a> has used a credential stealer known as ZUMKONG that can harvest usernames and passwords stored in browsers.<span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018."data-reference="FireEye APT37 Feb 2018">^{<a href="https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0096"> G0096 </a> </td> <td> <a href="/groups/G0096"> APT41 </a> </td> <td> <p><a href="/groups/G0096">APT41</a> used BrowserGhost, a tool designed to obtain credentials from browsers, to retrieve information from password stores.<span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="Nikita Rostovcev. (2022, August 18). APT41 World Tour 2021 on a tight schedule. Retrieved February 22, 2024."data-reference="Rostovcev APT41 2021">^{<a href="https://www.group-ib.com/blog/apt41-world-tour-2021/" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0344"> S0344 </a> </td> <td> <a href="/software/S0344"> Azorult </a> </td> <td> <p><a href="/software/S0344">Azorult</a> can steal credentials from the victim's browser.<span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018."data-reference="Unit42 Azorult Nov 2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/11/unit42-new-wine-old-bottle-new-azorult-variant-found-findmyname-campaign-using-fallout-exploit-kit/" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0093"> S0093 </a> </td> <td> <a href="/software/S0093"> Backdoor.Oldrea </a> </td> <td> <p>Some <a href="/software/S0093">Backdoor.Oldrea</a> samples contain a publicly available Web browser password recovery tool.<span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016."data-reference="Symantec Dragonfly">^{<a href="https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0089"> S0089 </a> </td> <td> <a href="/software/S0089"> BlackEnergy </a> </td> <td> <p><a href="/software/S0089">BlackEnergy</a> has used a plug-in to gather credentials from web browsers including FireFox, Google Chrome, and Internet Explorer.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016."data-reference="F-Secure BlackEnergy 2014">^{<a href="https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span><span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" title="Baumgartner, K. and Garnaeva, M.. (2014, November 3). BE2 custom plugins, router abuse, and target profiles. Retrieved March 24, 2016."data-reference="Securelist BlackEnergy Nov 2014">^{<a href="https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0657"> S0657 </a> </td> <td> <a href="/software/S0657"> BLUELIGHT </a> </td> <td> <p><a href="/software/S0657">BLUELIGHT</a> can collect passwords stored in web browers, including Internet Explorer, Edge, Chrome, and Naver Whale.<span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021."data-reference="Volexity InkySquid BLUELIGHT August 2021">^{<a href="https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0484"> S0484 </a> </td> <td> <a href="/software/S0484"> Carberp </a> </td> <td> <p><a href="/software/S0484">Carberp</a>'s passw.plug plugin can gather passwords saved in Opera, Internet Explorer, Safari, Firefox, and Chrome.<span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved September 12, 2024."data-reference="Prevx Carberp March 2011">^{<a href="https://web.archive.org/web/20231227000328/http://pxnow.prevx.com/content/blog/carberp-a_modular_information_stealing_trojan.pdf" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0631"> S0631 </a> </td> <td> <a href="/software/S0631"> Chaes </a> </td> <td> <p><a href="/software/S0631">Chaes</a> can steal login credentials and stored financial information from the browser.<span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021."data-reference="Cybereason Chaes Nov 2020">^{<a href="https://www.cybereason.com/hubfs/dam/collateral/reports/11-2020-Chaes-e-commerce-malware-research.pdf" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0144"> S0144 </a> </td> <td> <a href="/software/S0144"> ChChes </a> </td> <td> <p><a href="/software/S0144">ChChes</a> steals credentials stored inside Internet Explorer.<span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017."data-reference="PWC Cloud Hopper Technical Annex April 2017">^{<a href="https://www.pwc.co.uk/cyber-security/pdf/pwc-uk-operation-cloud-hopper-technical-annex-april-2017.pdf" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0492"> S0492 </a> </td> <td> <a href="/software/S0492"> CookieMiner </a> </td> <td> <p><a href="/software/S0492">CookieMiner</a> can steal saved usernames and passwords in Chrome as well as credit card credentials.<span onclick=scrollToRef('scite-21') id="scite-ref-21-a" class="scite-citeref-number" title="Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved July 22, 2020."data-reference="Unit42 CookieMiner Jan 2019">^{<a href="https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/" target="_blank" data-hasqtip="20" aria-describedby="qtip-20">[21]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0050"> S0050 </a> </td> <td> <a href="/software/S0050"> CosmicDuke </a> </td> <td> <p><a href="/software/S0050">CosmicDuke</a> collects user credentials, including passwords, for various programs including Web browsers.<span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015."data-reference="F-Secure The Dukes">^{<a href="https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0115"> S0115 </a> </td> <td> <a href="/software/S0115"> Crimson </a> </td> <td> <p><a href="/software/S0115">Crimson</a> contains a module to steal credentials from Web browsers on the victim machine.<span onclick=scrollToRef('scite-23') id="scite-ref-23-a" class="scite-citeref-number" title="Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016."data-reference="Proofpoint Operation Transparent Tribe March 2016">^{<a href="https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf" target="_blank" data-hasqtip="22" aria-describedby="qtip-22">[23]</a>}</span><span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" title="Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021."data-reference="Kaspersky Transparent Tribe August 2020">^{<a href="https://securelist.com/transparent-tribe-part-1/98127/" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0367"> S0367 </a> </td> <td> <a href="/software/S0367"> Emotet </a> </td> <td> <p><a href="/software/S0367">Emotet</a> has been observed dropping browser password grabber modules. <span onclick=scrollToRef('scite-25') id="scite-ref-25-a" class="scite-citeref-number" title="Trend Micro. (2019, January 16). Exploring Emotet's Activities . Retrieved March 25, 2019."data-reference="Trend Micro Emotet Jan 2019">^{<a href="https://documents.trendmicro.com/assets/white_papers/ExploringEmotetsActivities_Final.pdf" target="_blank" data-hasqtip="24" aria-describedby="qtip-24">[25]</a>}</span><span onclick=scrollToRef('scite-26') id="scite-ref-26-a" class="scite-citeref-number" title="Kessem, L., et al. (2017, November 13). New Banking Trojan IcedID Discovered by IBM X-Force Research. Retrieved July 14, 2020."data-reference="IBM IcedID November 2017">^{<a href="https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/" target="_blank" data-hasqtip="25" aria-describedby="qtip-25">[26]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0363"> S0363 </a> </td> <td> <a href="/software/S0363"> Empire </a> </td> <td> <p><a href="/software/S0363">Empire</a> can use modules that extract passwords from common web browsers such as Firefox and Chrome.<span onclick=scrollToRef('scite-27') id="scite-ref-27-a" class="scite-citeref-number" title="Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016."data-reference="Github PowerShell Empire">^{<a href="https://github.com/PowerShellEmpire/Empire" target="_blank" data-hasqtip="26" aria-describedby="qtip-26">[27]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0037"> G0037 </a> </td> <td> <a href="/groups/G0037"> FIN6 </a> </td> <td> <p><a href="/groups/G0037">FIN6</a> has used the Stealer One credential stealer to target web browsers.<span onclick=scrollToRef('scite-28') id="scite-ref-28-a" class="scite-citeref-number" title="Visa Public. (2019, February). FIN6 Cybercrime Group Expands Threat to eCommerce Merchants. Retrieved September 16, 2019."data-reference="Visa FIN6 Feb 2019">^{<a href="https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf" target="_blank" data-hasqtip="27" aria-describedby="qtip-27">[28]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0531"> S0531 </a> </td> <td> <a href="/software/S0531"> Grandoreiro </a> </td> <td> <p><a href="/software/S0531">Grandoreiro</a> can steal cookie data and credentials from Google Chrome.<span onclick=scrollToRef('scite-29') id="scite-ref-29-a" class="scite-citeref-number" title="Abramov, D. (2020, April 13). Grandoreiro Malware Now Targeting Banks in Spain. Retrieved November 12, 2020."data-reference="IBM Grandoreiro April 2020">^{<a href="https://securityintelligence.com/posts/grandoreiro-malware-now-targeting-banks-in-spain/" target="_blank" data-hasqtip="28" aria-describedby="qtip-28">[29]</a>}</span><span onclick=scrollToRef('scite-30') id="scite-ref-30-a" class="scite-citeref-number" title="ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020."data-reference="ESET Grandoreiro April 2020">^{<a href="https://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/" target="_blank" data-hasqtip="29" aria-describedby="qtip-29">[30]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0132"> S0132 </a> </td> <td> <a href="/software/S0132"> H1N1 </a> </td> <td> <p><a href="/software/S0132">H1N1</a> dumps usernames and passwords from Firefox, Internet Explorer, and Outlook.<span onclick=scrollToRef('scite-31') id="scite-ref-31-a" class="scite-citeref-number" title="Reynolds, J.. (2016, September 14). H1N1: Technical analysis reveals new capabilities – part 2. Retrieved September 26, 2016."data-reference="Cisco H1N1 Part 2">^{<a href="http://blogs.cisco.com/security/h1n1-technical-analysis-reveals-new-capabilities-part-2" target="_blank" data-hasqtip="30" aria-describedby="qtip-30">[31]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G1001"> G1001 </a> </td> <td> <a href="/groups/G1001"> HEXANE </a> </td> <td> <p><a href="/groups/G1001">HEXANE</a> has used a <a href="/software/S0002">Mimikatz</a>-based tool and a PowerShell script to steal passwords from Google Chrome.<span onclick=scrollToRef('scite-32') id="scite-ref-32-a" class="scite-citeref-number" title="Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022."data-reference="Kaspersky Lyceum October 2021">^{<a href="https://vblocalhost.com/uploads/VB2021-Kayal-etal.pdf" target="_blank" data-hasqtip="31" aria-describedby="qtip-31">[32]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0434"> S0434 </a> </td> <td> <a href="/software/S0434"> Imminent Monitor </a> </td> <td> <p><a href="/software/S0434">Imminent Monitor</a> has a PasswordRecoveryPacket module for recovering browser passwords.<span onclick=scrollToRef('scite-33') id="scite-ref-33-a" class="scite-citeref-number" title="QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020."data-reference="QiAnXin APT-C-36 Feb2019">^{<a href="https://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/" target="_blank" data-hasqtip="32" aria-describedby="qtip-32">[33]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0100"> G0100 </a> </td> <td> <a href="/groups/G0100"> Inception </a> </td> <td> <p><a href="/groups/G0100">Inception</a> used a browser plugin to steal passwords and sessions from Internet Explorer, Chrome, Opera, Firefox, Torch, and Yandex.<span onclick=scrollToRef('scite-34') id="scite-ref-34-a" class="scite-citeref-number" title="Symantec. (2018, March 14). Inception Framework: Alive and Well, and Hiding Behind Proxies. Retrieved May 8, 2020."data-reference="Symantec Inception Framework March 2018">^{<a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies" target="_blank" data-hasqtip="33" aria-describedby="qtip-33">[34]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0528"> S0528 </a> </td> <td> <a href="/software/S0528"> Javali </a> </td> <td> <p><a href="/software/S0528">Javali</a> can capture login credentials from open browsers including Firefox, Chrome, Internet Explorer, and Edge.<span onclick=scrollToRef('scite-35') id="scite-ref-35-a" class="scite-citeref-number" title="GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020."data-reference="Securelist Brazilian Banking Malware July 2020">^{<a href="https://securelist.com/the-tetrade-brazilian-banking-malware/97779/" target="_blank" data-hasqtip="34" aria-describedby="qtip-34">[35]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0283"> S0283 </a> </td> <td> <a href="/software/S0283"> jRAT </a> </td> <td> <p><a href="/software/S0283">jRAT</a> can capture passwords from common web browsers such as Internet Explorer, Google Chrome, and Firefox.<span onclick=scrollToRef('scite-36') id="scite-ref-36-a" class="scite-citeref-number" title="Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019."data-reference="Kaspersky Adwind Feb 2016">^{<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07195002/KL_AdwindPublicReport_2016.pdf" target="_blank" data-hasqtip="35" aria-describedby="qtip-35">[36]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0387"> S0387 </a> </td> <td> <a href="/software/S0387"> KeyBoy </a> </td> <td> <p><a href="/software/S0387">KeyBoy</a> attempts to collect passwords from browsers.<span onclick=scrollToRef('scite-37') id="scite-ref-37-a" class="scite-citeref-number" title="Guarnieri, C., Schloesser M. (2013, June 7). KeyBoy, Targeted Attacks against Vietnam and India. Retrieved June 14, 2019."data-reference="Rapid7 KeyBoy Jun 2013">^{<a href="https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/" target="_blank" data-hasqtip="36" aria-describedby="qtip-36">[37]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0526"> S0526 </a> </td> <td> <a href="/software/S0526"> KGH_SPY </a> </td> <td> <p><a href="/software/S0526">KGH_SPY</a> has the ability to steal data from the Chrome, Edge, Firefox, Thunderbird, and Opera browsers.<span onclick=scrollToRef('scite-38') id="scite-ref-38-a" class="scite-citeref-number" title="Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020."data-reference="Cybereason Kimsuky November 2020">^{<a href="https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite" target="_blank" data-hasqtip="37" aria-describedby="qtip-37">[38]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0094"> G0094 </a> </td> <td> <a href="/groups/G0094"> Kimsuky </a> </td> <td> <p><a href="/groups/G0094">Kimsuky</a> has used browser extensions including Google Chrome to steal passwords and cookies from browsers. <a href="/groups/G0094">Kimsuky</a> has also used Nirsoft's WebBrowserPassView tool to dump the passwords obtained from victims.<span onclick=scrollToRef('scite-39') id="scite-ref-39-a" class="scite-citeref-number" title="Cimpanu, C.. (2018, December 5). Cyber-espionage group uses Chrome extension to infect victims. Retrieved August 26, 2019."data-reference="Zdnet Kimsuky Dec 2018">^{<a href="https://www.zdnet.com/article/cyber-espionage-group-uses-chrome-extension-to-infect-victims/" target="_blank" data-hasqtip="38" aria-describedby="qtip-38">[39]</a>}</span><span onclick=scrollToRef('scite-40') id="scite-ref-40-a" class="scite-citeref-number" title="CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020."data-reference="CISA AA20-301A Kimsuky">^{<a href="https://us-cert.cisa.gov/ncas/alerts/aa20-301a" target="_blank" data-hasqtip="39" aria-describedby="qtip-39">[40]</a>}</span><span onclick=scrollToRef('scite-41') id="scite-ref-41-a" class="scite-citeref-number" title="ASERT team. (2018, December 5). STOLEN PENCIL Campaign Targets Academia. Retrieved February 5, 2019."data-reference="Netscout Stolen Pencil Dec 2018">^{<a href="https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/" target="_blank" data-hasqtip="40" aria-describedby="qtip-40">[41]</a>}</span><span onclick=scrollToRef('scite-42') id="scite-ref-42-a" class="scite-citeref-number" title="An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021."data-reference="Talos Kimsuky Nov 2021">^{<a href="https://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html" target="_blank" data-hasqtip="41" aria-describedby="qtip-41">[42]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0356"> S0356 </a> </td> <td> <a href="/software/S0356"> KONNI </a> </td> <td> <p><a href="/software/S0356">KONNI</a> can steal profiles (containing credential information) from Firefox, Chrome, and Opera.<span onclick=scrollToRef('scite-43') id="scite-ref-43-a" class="scite-citeref-number" title="Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018."data-reference="Talos Konni May 2017">^{<a href="https://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html" target="_blank" data-hasqtip="42" aria-describedby="qtip-42">[43]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G1004"> G1004 </a> </td> <td> <a href="/groups/G1004"> LAPSUS$ </a> </td> <td> <p><a href="/groups/G1004">LAPSUS$</a> has obtained passwords and session tokens with the use of the Redline password stealer.<span onclick=scrollToRef('scite-44') id="scite-ref-44-a" class="scite-citeref-number" title="MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022."data-reference="MSTIC DEV-0537 Mar 2022">^{<a href="https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/" target="_blank" data-hasqtip="43" aria-describedby="qtip-43">[44]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0349"> S0349 </a> </td> <td> <a href="/software/S0349"> LaZagne </a> </td> <td> <p><a href="/software/S0349">LaZagne</a> can obtain credentials from web browsers such as Google Chrome, Internet Explorer, and Firefox.<span onclick=scrollToRef('scite-45') id="scite-ref-45-a" class="scite-citeref-number" title="Zanni, A. (n.d.). The LaZagne Project !!!. Retrieved December 14, 2018."data-reference="GitHub LaZagne Dec 2018">^{<a href="https://github.com/AlessandroZ/LaZagne" target="_blank" data-hasqtip="44" aria-describedby="qtip-44">[45]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0077"> G0077 </a> </td> <td> <a href="/groups/G0077"> Leafminer </a> </td> <td> <p><a href="/groups/G0077">Leafminer</a> used several tools for retrieving login and password information, including LaZagne.<span onclick=scrollToRef('scite-46') id="scite-ref-46-a" class="scite-citeref-number" title="Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018."data-reference="Symantec Leafminer July 2018">^{<a href="https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east" target="_blank" data-hasqtip="45" aria-describedby="qtip-45">[46]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0681"> S0681 </a> </td> <td> <a href="/software/S0681"> Lizar </a> </td> <td> <p><a href="/software/S0681">Lizar</a> has a module to collect usernames and passwords stored in browsers.<span onclick=scrollToRef('scite-47') id="scite-ref-47-a" class="scite-citeref-number" title="BI.ZONE Cyber Threats Research Team. (2021, May 13). From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker’s toolkit. Retrieved February 2, 2022."data-reference="BiZone Lizar May 2021">^{<a href="https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319" target="_blank" data-hasqtip="46" aria-describedby="qtip-46">[47]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0447"> S0447 </a> </td> <td> <a href="/software/S0447"> Lokibot </a> </td> <td> <p><a href="/software/S0447">Lokibot</a> has demonstrated the ability to steal credentials from multiple applications and data sources including Safari and the Chromium and Mozilla Firefox-based web browsers.<span onclick=scrollToRef('scite-48') id="scite-ref-48-a" class="scite-citeref-number" title="Hoang, M. (2019, January 31). Malicious Activity Report: Elements of Lokibot Infostealer. Retrieved May 15, 2020."data-reference="Infoblox Lokibot January 2019">^{<a href="https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence--22" target="_blank" data-hasqtip="47" aria-describedby="qtip-47">[48]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0409"> S0409 </a> </td> <td> <a href="/software/S0409"> Machete </a> </td> <td> <p><a href="/software/S0409">Machete</a> collects stored credentials from several web browsers.<span onclick=scrollToRef('scite-49') id="scite-ref-49-a" class="scite-citeref-number" title="ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019."data-reference="ESET Machete July 2019">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2019/08/ESET_Machete.pdf" target="_blank" data-hasqtip="48" aria-describedby="qtip-48">[49]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/groups/G1026"> G1026 </a> </td> <td> <a href="/groups/G1026"> Malteiro </a> </td> <td> <p><a href="/groups/G1026">Malteiro</a> has stolen credentials stored in the victim’s browsers via software tool NirSoft WebBrowserPassView.<span onclick=scrollToRef('scite-50') id="scite-ref-50-a" class="scite-citeref-number" title="SCILabs. (2021, December 23). Cyber Threat Profile Malteiro. Retrieved March 13, 2024."data-reference="SCILabs Malteiro 2021">^{<a href="https://blog.scilabs.mx/en/cyber-threat-profile-malteiro/" target="_blank" data-hasqtip="49" aria-describedby="qtip-49">[50]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1156"> S1156 </a> </td> <td> <a href="/software/S1156"> Manjusaka </a> </td> <td> <p><a href="/software/S1156">Manjusaka</a> gathers credentials from Chromium-based browsers.<span onclick=scrollToRef('scite-51') id="scite-ref-51-a" class="scite-citeref-number" title="Asheer Malhotra & Vitor Ventura. (2022, August 2). Manjusaka: A Chinese sibling of Sliver and Cobalt Strike. Retrieved September 4, 2024."data-reference="Talos Manjusaka 2022">^{<a href="https://blog.talosintelligence.com/manjusaka-offensive-framework/" target="_blank" data-hasqtip="50" aria-describedby="qtip-50">[51]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0530"> S0530 </a> </td> <td> <a href="/software/S0530"> Melcoz </a> </td> <td> <p><a href="/software/S0530">Melcoz</a> has the ability to steal credentials from web browsers.<span onclick=scrollToRef('scite-35') id="scite-ref-35-a" class="scite-citeref-number" title="GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020."data-reference="Securelist Brazilian Banking Malware July 2020">^{<a href="https://securelist.com/the-tetrade-brazilian-banking-malware/97779/" target="_blank" data-hasqtip="34" aria-describedby="qtip-34">[35]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1146"> S1146 </a> </td> <td> <a href="/software/S1146"> MgBot </a> </td> <td> <p><a href="/software/S1146">MgBot</a> includes modules for stealing credentials from various browsers and applications, including Chrome, Opera, Firefox, Foxmail, QQBrowser, FileZilla, and WinSCP.<span onclick=scrollToRef('scite-52') id="scite-ref-52-a" class="scite-citeref-number" title="Facundo Muñoz. (2023, April 26). Evasive Panda APT group delivers malware via updates for popular Chinese software. Retrieved July 25, 2024."data-reference="ESET EvasivePanda 2023">^{<a href="https://www.welivesecurity.com/2023/04/26/evasive-panda-apt-group-malware-updates-popular-chinese-software/" target="_blank" data-hasqtip="51" aria-describedby="qtip-51">[52]</a>}</span><span onclick=scrollToRef('scite-53') id="scite-ref-53-a" class="scite-citeref-number" title="Threat Hunter Team. (2023, April 20). Daggerfly: APT Actor Targets Telecoms Company in Africa. Retrieved July 25, 2024."data-reference="Symantec Daggerfly 2023">^{<a href="https://symantec-enterprise-blogs.security.com/threat-intelligence/apt-attacks-telecoms-africa-mgbot" target="_blank" data-hasqtip="52" aria-describedby="qtip-52">[53]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0002"> S0002 </a> </td> <td> <a href="/software/S0002"> Mimikatz </a> </td> <td> <p><a href="/software/S0002">Mimikatz</a> performs credential dumping to obtain account and password information useful in gaining access to additional systems and enterprise network resources. It contains functionality to acquire information about credentials in many ways, including from DPAPI.<span onclick=scrollToRef('scite-54') id="scite-ref-54-a" class="scite-citeref-number" title="Deply, B. (n.d.). Mimikatz. Retrieved September 29, 2015."data-reference="Deply Mimikatz">^{<a href="https://github.com/gentilkiwi/mimikatz" target="_blank" data-hasqtip="53" aria-describedby="qtip-53">[54]</a>}</span><span onclick=scrollToRef('scite-55') id="scite-ref-55-a" class="scite-citeref-number" title="Deply, B., Le Toux, V. (2016, June 5). module ~ lsadump. Retrieved August 7, 2017."data-reference="GitHub Mimikatz lsadump Module">^{<a href="https://github.com/gentilkiwi/mimikatz/wiki/module-~-lsadump" target="_blank" data-hasqtip="54" aria-describedby="qtip-54">[55]</a>}</span><span onclick=scrollToRef('scite-56') id="scite-ref-56-a" class="scite-citeref-number" title="Grafnetter, M. (2015, October 26). Retrieving DPAPI Backup Keys from Active Directory. Retrieved December 19, 2017."data-reference="Directory Services Internals DPAPI Backup Keys Oct 2015">^{<a href="https://www.dsinternals.com/en/retrieving-dpapi-backup-keys-from-active-directory/" target="_blank" data-hasqtip="55" aria-describedby="qtip-55">[56]</a>}</span><span onclick=scrollToRef('scite-57') id="scite-ref-57-a" class="scite-citeref-number" title="The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019."data-reference="NCSC Joint Report Public Tools">^{<a href="https://www.ncsc.gov.uk/report/joint-report-on-publicly-available-hacking-tools" target="_blank" data-hasqtip="56" aria-describedby="qtip-56">[57]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/software/S1122"> S1122 </a> </td> <td> <a href="/software/S1122"> Mispadu </a> </td> <td> <p><a href="/software/S1122">Mispadu</a> can steal credentials from Google Chrome.<span onclick=scrollToRef('scite-50') id="scite-ref-50-a" class="scite-citeref-number" title="SCILabs. (2021, December 23). Cyber Threat Profile Malteiro. Retrieved March 13, 2024."data-reference="SCILabs Malteiro 2021">^{<a href="https://blog.scilabs.mx/en/cyber-threat-profile-malteiro/" target="_blank" data-hasqtip="49" aria-describedby="qtip-49">[50]</a>}</span><span onclick=scrollToRef('scite-58') id="scite-ref-58-a" class="scite-citeref-number" title="ESET Security. (2019, November 19). Mispadu: Advertisement for a discounted Unhappy Meal. Retrieved March 13, 2024."data-reference="ESET Security Mispadu Facebook Ads 2019">^{<a href="https://www.welivesecurity.com/2019/11/19/mispadu-advertisement-discounted-unhappy-meal/" target="_blank" data-hasqtip="57" aria-describedby="qtip-57">[58]</a>}</span><span onclick=scrollToRef('scite-59') id="scite-ref-59-a" class="scite-citeref-number" title="Garcia, F., Regalado, D. (2023, March 7). Inside Mispadu massive infection campaign in LATAM. Retrieved March 15, 2024."data-reference="Metabase Q Mispadu Trojan 2023">^{<a href="https://www.metabaseq.com/mispadu-banking-trojan/" target="_blank" data-hasqtip="58" aria-describedby="qtip-58">[59]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0021"> G0021 </a> </td> <td> <a href="/groups/G0021"> Molerats </a> </td> <td> <p><a href="/groups/G0021">Molerats</a> used the public tool BrowserPasswordDump10 to dump passwords saved in browsers on victims.<span onclick=scrollToRef('scite-60') id="scite-ref-60-a" class="scite-citeref-number" title="ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016."data-reference="DustySky">^{<a href="https://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf" target="_blank" data-hasqtip="59" aria-describedby="qtip-59">[60]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0069"> G0069 </a> </td> <td> <a href="/groups/G0069"> MuddyWater </a> </td> <td> <p><a href="/groups/G0069">MuddyWater</a> has run tools including Browser64 to steal passwords saved in victim web browsers.<span onclick=scrollToRef('scite-61') id="scite-ref-61-a" class="scite-citeref-number" title="Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018."data-reference="Symantec MuddyWater Dec 2018">^{<a href="https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group" target="_blank" data-hasqtip="60" aria-describedby="qtip-60">[61]</a>}</span><span onclick=scrollToRef('scite-62') id="scite-ref-62-a" class="scite-citeref-number" title="Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021."data-reference="Trend Micro Muddy Water March 2021">^{<a href="https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html" target="_blank" data-hasqtip="61" aria-describedby="qtip-61">[62]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0198"> S0198 </a> </td> <td> <a href="/software/S0198"> NETWIRE </a> </td> <td> <p><a href="/software/S0198">NETWIRE</a> has the ability to steal credentials from web browsers including Internet Explorer, Opera, Yandex, and Chrome.<span onclick=scrollToRef('scite-63') id="scite-ref-63-a" class="scite-citeref-number" title="Maniath, S. and Kadam P. (2019, March 19). Dissecting a NETWIRE Phishing Campaign's Usage of Process Hollowing. Retrieved January 7, 2021."data-reference="FireEye NETWIRE March 2019">^{<a href="https://www.mandiant.com/resources/blog/dissecting-netwire-phishing-campaigns-usage-process-hollowing" target="_blank" data-hasqtip="62" aria-describedby="qtip-62">[63]</a>}</span><span onclick=scrollToRef('scite-64') id="scite-ref-64-a" class="scite-citeref-number" title="Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021."data-reference="Red Canary NETWIRE January 2020">^{<a href="https://redcanary.com/blog/netwire-remote-access-trojan-on-linux/" target="_blank" data-hasqtip="63" aria-describedby="qtip-63">[64]</a>}</span><span onclick=scrollToRef('scite-65') id="scite-ref-65-a" class="scite-citeref-number" title="Proofpoint. (2020, December 2). Geofenced NetWire Campaigns. Retrieved January 7, 2021."data-reference="Proofpoint NETWIRE December 2020">^{<a href="https://www.proofpoint.com/us/blog/threat-insight/geofenced-netwire-campaigns" target="_blank" data-hasqtip="64" aria-describedby="qtip-64">[65]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0385"> S0385 </a> </td> <td> <a href="/software/S0385"> njRAT </a> </td> <td> <p><a href="/software/S0385">njRAT</a> has a module that steals passwords saved in victim web browsers.<span onclick=scrollToRef('scite-66') id="scite-ref-66-a" class="scite-citeref-number" title="Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: "njRAT" Uncovered. Retrieved June 4, 2019."data-reference="Fidelis njRAT June 2013">^{<a href="https://www.threatminer.org/_reports/2013/fta-1009---njrat-uncovered-1.pdf" target="_blank" data-hasqtip="65" aria-describedby="qtip-65">[66]</a>}</span><span onclick=scrollToRef('scite-67') id="scite-ref-67-a" class="scite-citeref-number" title="Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019."data-reference="Trend Micro njRAT 2018">^{<a href="https://blog.trendmicro.com/trendlabs-security-intelligence/autoit-compiled-worm-affecting-removable-media-delivers-fileless-version-of-bladabindi-njrat-backdoor/" target="_blank" data-hasqtip="66" aria-describedby="qtip-66">[67]</a>}</span><span onclick=scrollToRef('scite-68') id="scite-ref-68-a" class="scite-citeref-number" title="Scott-Railton, J., et al. (2016, August 2). Group5: Syria and the Iranian Connection. Retrieved September 26, 2016."data-reference="Citizen Lab Group5">^{<a href="https://citizenlab.ca/2016/08/group5-syria/" target="_blank" data-hasqtip="67" aria-describedby="qtip-67">[68]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0049"> G0049 </a> </td> <td> <a href="/groups/G0049"> OilRig </a> </td> <td> <p><a href="/groups/G0049">OilRig</a> has used credential dumping tools such as <a href="/software/S0349">LaZagne</a> to steal credentials to accounts logged into the compromised system and to Outlook Web Access.<span onclick=scrollToRef('scite-69') id="scite-ref-69-a" class="scite-citeref-number" title="Unit42. (2016, May 1). Evasive Serpens Unit 42 Playbook Viewer. Retrieved February 6, 2023."data-reference="Unit42 OilRig Playbook 2023">^{<a href="https://pan-unit42.github.io/playbook_viewer/?pb=evasive-serpens" target="_blank" data-hasqtip="68" aria-describedby="qtip-68">[69]</a>}</span><span onclick=scrollToRef('scite-70') id="scite-ref-70-a" class="scite-citeref-number" title="Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017."data-reference="FireEye APT34 Webinar Dec 2017">^{<a href="https://www.brighttalk.com/webcast/10703/296317/apt34-new-targeted-attack-in-the-middle-east" target="_blank" data-hasqtip="69" aria-describedby="qtip-69">[70]</a>}</span><span onclick=scrollToRef('scite-71') id="scite-ref-71-a" class="scite-citeref-number" title="Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018."data-reference="FireEye APT35 2018">^{<a href="https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf" target="_blank" data-hasqtip="70" aria-describedby="qtip-70">[71]</a>}</span><span onclick=scrollToRef('scite-72') id="scite-ref-72-a" class="scite-citeref-number" title="Bromiley, M., et al.. (2019, July 18). Hard Pass: Declining APT34’s Invite to Join Their Professional Network. Retrieved August 26, 2019."data-reference="FireEye APT34 July 2019">^{<a href="https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html" target="_blank" data-hasqtip="71" aria-describedby="qtip-71">[72]</a>}</span> <a href="/groups/G0049">OilRig</a> has also used tool named PICKPOCKET to dump passwords from web browsers.<span onclick=scrollToRef('scite-72') id="scite-ref-72-a" class="scite-citeref-number" title="Bromiley, M., et al.. (2019, July 18). Hard Pass: Declining APT34’s Invite to Join Their Professional Network. Retrieved August 26, 2019."data-reference="FireEye APT34 July 2019">^{<a href="https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html" target="_blank" data-hasqtip="71" aria-describedby="qtip-71">[72]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0138"> S0138 </a> </td> <td> <a href="/software/S0138"> OLDBAIT </a> </td> <td> <p><a href="/software/S0138">OLDBAIT</a> collects credentials from Internet Explorer, Mozilla Firefox, and Eudora.<span onclick=scrollToRef('scite-73') id="scite-ref-73-a" class="scite-citeref-number" title="FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015."data-reference="FireEye APT28">^{<a href="https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf" target="_blank" data-hasqtip="72" aria-describedby="qtip-72">[73]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0365"> S0365 </a> </td> <td> <a href="/software/S0365"> Olympic Destroyer </a> </td> <td> <p><a href="/software/S0365">Olympic Destroyer</a> contains a module that tries to obtain stored credentials from web browsers.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019."data-reference="Talos Olympic Destroyer 2018">^{<a href="https://blog.talosintelligence.com/2018/02/olympic-destroyer.html" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0040"> G0040 </a> </td> <td> <a href="/groups/G0040"> Patchwork </a> </td> <td> <p><a href="/groups/G0040">Patchwork</a> dumped the login data database from <code>\AppData\Local\Google\Chrome\User Data\Default\Login Data</code>.<span onclick=scrollToRef('scite-74') id="scite-ref-74-a" class="scite-citeref-number" title="Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016."data-reference="Cymmetria Patchwork">^{<a href="https://web.archive.org/web/20180825085952/https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf" target="_blank" data-hasqtip="73" aria-describedby="qtip-73">[74]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0048"> S0048 </a> </td> <td> <a href="/software/S0048"> PinchDuke </a> </td> <td> <p><a href="/software/S0048">PinchDuke</a> steals credentials from compromised hosts. <a href="/software/S0048">PinchDuke</a>'s credential stealing functionality is believed to be based on the source code of the Pinch credential stealing malware (also known as LdPinch). Credentials targeted by <a href="/software/S0048">PinchDuke</a> include ones associated with many sources such as Netscape Navigator, Mozilla Firefox, Mozilla Thunderbird, and Internet Explorer. <span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015."data-reference="F-Secure The Dukes">^{<a href="https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0435"> S0435 </a> </td> <td> <a href="/software/S0435"> PLEAD </a> </td> <td> <p><a href="/software/S0435">PLEAD</a> can harvest saved credentials from browsers such as Google Chrome, Microsoft Internet Explorer, and Mozilla Firefox.<span onclick=scrollToRef('scite-75') id="scite-ref-75-a" class="scite-citeref-number" title="Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech’s Cyber Espionage Campaigns. Retrieved May 5, 2020."data-reference="TrendMicro BlackTech June 2017">^{<a href="https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/" target="_blank" data-hasqtip="74" aria-describedby="qtip-74">[75]</a>}</span><span onclick=scrollToRef('scite-76') id="scite-ref-76-a" class="scite-citeref-number" title="Cherepanov, A.. (2018, July 9). Certificates stolen from Taiwanese tech‑companies misused in Plead malware campaign. Retrieved May 6, 2020."data-reference="ESET PLEAD Malware July 2018">^{<a href="https://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/" target="_blank" data-hasqtip="75" aria-describedby="qtip-75">[76]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0428"> S0428 </a> </td> <td> <a href="/software/S0428"> PoetRAT </a> </td> <td> <p><a href="/software/S0428">PoetRAT</a> has used a Python tool named Browdec.exe to steal browser credentials.<span onclick=scrollToRef('scite-77') id="scite-ref-77-a" class="scite-citeref-number" title="Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020."data-reference="Talos PoetRAT April 2020">^{<a href="https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html" target="_blank" data-hasqtip="76" aria-describedby="qtip-76">[77]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0113"> S0113 </a> </td> <td> <a href="/software/S0113"> Prikormka </a> </td> <td> <p>A module in <a href="/software/S0113">Prikormka</a> gathers logins and passwords stored in applications on the victims, including Google Chrome, Mozilla Firefox, and several other browsers.<span onclick=scrollToRef('scite-78') id="scite-ref-78-a" class="scite-citeref-number" title="Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016."data-reference="ESET Operation Groundbait">^{<a href="http://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdf" target="_blank" data-hasqtip="77" aria-describedby="qtip-77">[78]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0279"> S0279 </a> </td> <td> <a href="/software/S0279"> Proton </a> </td> <td> <p><a href="/software/S0279">Proton</a> gathers credentials for Google Chrome.<span onclick=scrollToRef('scite-79') id="scite-ref-79-a" class="scite-citeref-number" title="Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018."data-reference="objsee mac malware 2017">^{<a href="https://objective-see.com/blog/blog_0x25.html" target="_blank" data-hasqtip="78" aria-describedby="qtip-78">[79]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0192"> S0192 </a> </td> <td> <a href="/software/S0192"> Pupy </a> </td> <td> <p><a href="/software/S0192">Pupy</a> can use Lazagne for harvesting credentials.<span onclick=scrollToRef('scite-80') id="scite-ref-80-a" class="scite-citeref-number" title="Nicolas Verdier. (n.d.). Retrieved January 29, 2018."data-reference="GitHub Pupy">^{<a href="https://github.com/n1nj4sec/pupy" target="_blank" data-hasqtip="79" aria-describedby="qtip-79">[80]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0650"> S0650 </a> </td> <td> <a href="/software/S0650"> QakBot </a> </td> <td> <p><a href="/software/S0650">QakBot</a> has collected usernames and passwords from Firefox and Chrome.<span onclick=scrollToRef('scite-81') id="scite-ref-81-a" class="scite-citeref-number" title="Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021."data-reference="Kaspersky QakBot September 2021">^{<a href="https://securelist.com/qakbot-technical-analysis/103931/" target="_blank" data-hasqtip="80" aria-describedby="qtip-80">[81]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0262"> S0262 </a> </td> <td> <a href="/software/S0262"> QuasarRAT </a> </td> <td> <p><a href="/software/S0262">QuasarRAT</a> can obtain passwords from common web browsers.<span onclick=scrollToRef('scite-82') id="scite-ref-82-a" class="scite-citeref-number" title="MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018."data-reference="GitHub QuasarRAT">^{<a href="https://github.com/quasar/QuasarRAT" target="_blank" data-hasqtip="81" aria-describedby="qtip-81">[82]</a>}</span><span onclick=scrollToRef('scite-83') id="scite-ref-83-a" class="scite-citeref-number" title="Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018."data-reference="Volexity Patchwork June 2018">^{<a href="https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/" target="_blank" data-hasqtip="82" aria-describedby="qtip-82">[83]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1148"> S1148 </a> </td> <td> <a href="/software/S1148"> Raccoon Stealer </a> </td> <td> <p><a href="/software/S1148">Raccoon Stealer</a> collects passwords, cookies, and autocomplete information from various popular web browsers.<span onclick=scrollToRef('scite-84') id="scite-ref-84-a" class="scite-citeref-number" title="Pierre Le Bourhis, Quentin Bourgue, & Sekoia TDR. (2022, June 29). Raccoon Stealer v2 - Part 2: In-depth analysis. Retrieved August 1, 2024."data-reference="Sekoia Raccoon2 2022">^{<a href="https://blog.sekoia.io/raccoon-stealer-v2-part-2-in-depth-analysis/" target="_blank" data-hasqtip="83" aria-describedby="qtip-83">[84]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0629"> S0629 </a> </td> <td> <a href="/software/S0629"> RainyDay </a> </td> <td> <p><a href="/software/S0629">RainyDay</a> can use tools to collect credentials from web browsers.<span onclick=scrollToRef('scite-85') id="scite-ref-85-a" class="scite-citeref-number" title="Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021."data-reference="Bitdefender Naikon April 2021">^{<a href="https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf" target="_blank" data-hasqtip="84" aria-describedby="qtip-84">[85]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G1039"> G1039 </a> </td> <td> <a href="/groups/G1039"> RedCurl </a> </td> <td> <p><a href="/groups/G1039">RedCurl</a> used <a href="/software/S0349">LaZagne</a> to obtain passwords from web browsers.<span onclick=scrollToRef('scite-86') id="scite-ref-86-a" class="scite-citeref-number" title="Group-IB. (2020, August). RedCurl: The Pentest You Didn’t Know About. Retrieved August 9, 2024."data-reference="group-ib_redcurl1">^{<a href="https://www.group-ib.com/resources/research-hub/red-curl/" target="_blank" data-hasqtip="85" aria-describedby="qtip-85">[86]</a>}</span><span onclick=scrollToRef('scite-87') id="scite-ref-87-a" class="scite-citeref-number" title="Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024."data-reference="group-ib_redcurl2">^{<a href="https://www.group-ib.com/resources/research-hub/red-curl-2/" target="_blank" data-hasqtip="86" aria-describedby="qtip-86">[87]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0153"> S0153 </a> </td> <td> <a href="/software/S0153"> RedLeaves </a> </td> <td> <p><a href="/software/S0153">RedLeaves</a> can gather browser usernames and passwords.<span onclick=scrollToRef('scite-88') id="scite-ref-88-a" class="scite-citeref-number" title="Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018."data-reference="Accenture Hogfish April 2018">^{<a href="http://web.archive.org/web/20220810112638/https:/www.accenture.com/t20180423T055005Z_w_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf" target="_blank" data-hasqtip="87" aria-describedby="qtip-87">[88]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0240"> S0240 </a> </td> <td> <a href="/software/S0240"> ROKRAT </a> </td> <td> <p><a href="/software/S0240">ROKRAT</a> can steal credentials stored in Web browsers by querying the sqlite database.<span onclick=scrollToRef('scite-89') id="scite-ref-89-a" class="scite-citeref-number" title="Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018."data-reference="Talos Group123">^{<a href="https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html" target="_blank" data-hasqtip="88" aria-describedby="qtip-88">[89]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0034"> G0034 </a> </td> <td> <a href="/groups/G0034"> Sandworm Team </a> </td> <td> <p><a href="/groups/G0034">Sandworm Team</a>'s CredRaptor tool can collect saved passwords from various internet browsers.<span onclick=scrollToRef('scite-90') id="scite-ref-90-a" class="scite-citeref-number" title="Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020."data-reference="ESET Telebots Dec 2016">^{<a href="https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" target="_blank" data-hasqtip="89" aria-describedby="qtip-89">[90]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0692"> S0692 </a> </td> <td> <a href="/software/S0692"> SILENTTRINITY </a> </td> <td> <p><a href="/software/S0692">SILENTTRINITY</a> can collect clear text web credentials for Internet Explorer/Edge.<span onclick=scrollToRef('scite-91') id="scite-ref-91-a" class="scite-citeref-number" title="Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022."data-reference="GitHub SILENTTRINITY Modules July 2019">^{<a href="https://github.com/byt3bl33d3r/SILENTTRINITY/tree/master/silenttrinity/core/teamserver/modules/boo" target="_blank" data-hasqtip="90" aria-describedby="qtip-90">[91]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0226"> S0226 </a> </td> <td> <a href="/software/S0226"> Smoke Loader </a> </td> <td> <p><a href="/software/S0226">Smoke Loader</a> searches for credentials stored from web browsers.<span onclick=scrollToRef('scite-92') id="scite-ref-92-a" class="scite-citeref-number" title="Baker, B., Unterbrink H. (2018, July 03). Smoking Guns - Smoke Loader learned new tricks. Retrieved July 5, 2018."data-reference="Talos Smoke Loader July 2018">^{<a href="https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html#more" target="_blank" data-hasqtip="91" aria-describedby="qtip-91">[92]</a>}</span></p> </td> </tr> <tr> <td> <a href="/campaigns/C0024"> C0024 </a> </td> <td> <a href="/campaigns/C0024"> SolarWinds Compromise </a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> stole users' saved passwords from Chrome.<span onclick=scrollToRef('scite-93') id="scite-ref-93-a" class="scite-citeref-number" title="CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022."data-reference="CrowdStrike StellarParticle January 2022">^{<a href="https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" target="_blank" data-hasqtip="92" aria-describedby="qtip-92">[93]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0038"> G0038 </a> </td> <td> <a href="/groups/G0038"> Stealth Falcon </a> </td> <td> <p><a href="/groups/G0038">Stealth Falcon</a> malware gathers passwords from multiple sources, including Internet Explorer, Firefox, and Chrome.<span onclick=scrollToRef('scite-94') id="scite-ref-94-a" class="scite-citeref-number" title="Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016."data-reference="Citizen Lab Stealth Falcon May 2016">^{<a href="https://citizenlab.org/2016/05/stealth-falcon/" target="_blank" data-hasqtip="93" aria-describedby="qtip-93">[94]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1042"> S1042 </a> </td> <td> <a href="/software/S1042"> SUGARDUMP </a> </td> <td> <p><a href="/software/S1042">SUGARDUMP</a> variants have harvested credentials from browsers such as Firefox, Chrome, Opera, and Edge.<span onclick=scrollToRef('scite-95') id="scite-ref-95-a" class="scite-citeref-number" title="Mandiant Israel Research Team. (2022, August 17). Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors. Retrieved September 21, 2022."data-reference="Mandiant UNC3890 Aug 2022">^{<a href="https://www.mandiant.com/resources/blog/suspected-iranian-actor-targeting-israeli-shipping" target="_blank" data-hasqtip="94" aria-describedby="qtip-94">[95]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0092"> G0092 </a> </td> <td> <a href="/groups/G0092"> TA505 </a> </td> <td> <p><a href="/groups/G0092">TA505</a> has used malware to gather credentials from Internet Explorer.<span onclick=scrollToRef('scite-96') id="scite-ref-96-a" class="scite-citeref-number" title="Proofpoint Staff. (2017, September 27). Threat Actor Profile: TA505, From Dridex to GlobeImposter. Retrieved May 28, 2019."data-reference="Proofpoint TA505 Sep 2017">^{<a href="https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta505-dridex-globeimposter" target="_blank" data-hasqtip="95" aria-describedby="qtip-95">[96]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0266"> S0266 </a> </td> <td> <a href="/software/S0266"> TrickBot </a> </td> <td> <p><a href="/software/S0266">TrickBot</a> can obtain passwords stored in files from web browsers such as Chrome, Firefox, Internet Explorer, and Microsoft Edge, sometimes using <a href="/software/S0404">esentutl</a>.<span onclick=scrollToRef('scite-97') id="scite-ref-97-a" class="scite-citeref-number" title="Anthony, N., Pascual, C.. (2018, November 1). Trickbot Shows Off New Trick: Password Grabber Module. Retrieved November 16, 2018."data-reference="Trend Micro Trickbot Nov 2018">^{<a href="https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-shows-off-new-trick-password-grabber-module/" target="_blank" data-hasqtip="96" aria-describedby="qtip-96">[97]</a>}</span><span onclick=scrollToRef('scite-98') id="scite-ref-98-a" class="scite-citeref-number" title="Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020."data-reference="Cyberreason Anchor December 2019">^{<a href="https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware" target="_blank" data-hasqtip="97" aria-describedby="qtip-97">[98]</a>}</span><span onclick=scrollToRef('scite-99') id="scite-ref-99-a" class="scite-citeref-number" title="Radu Tudorica. (2021, July 12). A Fresh Look at Trickbot’s Ever-Improving VNC Module. Retrieved September 28, 2021."data-reference="Bitdefender Trickbot VNC module Whitepaper 2021">^{<a href="https://www.bitdefender.com/files/News/CaseStudies/study/399/Bitdefender-PR-Whitepaper-Trickbot-creat5515-en-EN.pdf" target="_blank" data-hasqtip="98" aria-describedby="qtip-98">[99]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0094"> S0094 </a> </td> <td> <a href="/software/S0094"> Trojan.Karagany </a> </td> <td> <p><a href="/software/S0094">Trojan.Karagany</a> can steal data and credentials from browsers.<span onclick=scrollToRef('scite-100') id="scite-ref-100-a" class="scite-citeref-number" title="Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020."data-reference="Secureworks Karagany July 2019">^{<a href="https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector" target="_blank" data-hasqtip="99" aria-describedby="qtip-99">[100]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0436"> S0436 </a> </td> <td> <a href="/software/S0436"> TSCookie </a> </td> <td> <p><a href="/software/S0436">TSCookie</a> has the ability to steal saved passwords from the Internet Explorer, Edge, Firefox, and Chrome browsers.<span onclick=scrollToRef('scite-101') id="scite-ref-101-a" class="scite-citeref-number" title="Tomonaga, S. (2018, March 6). Malware "TSCookie". Retrieved May 6, 2020."data-reference="JPCert TSCookie March 2018">^{<a href="https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html" target="_blank" data-hasqtip="100" aria-describedby="qtip-100">[101]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0130"> S0130 </a> </td> <td> <a href="/software/S0130"> Unknown Logger </a> </td> <td> <p><a href="/software/S0130">Unknown Logger</a> is capable of stealing usernames and passwords from browsers on the victim machine.<span onclick=scrollToRef('scite-102') id="scite-ref-102-a" class="scite-citeref-number" title="Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016."data-reference="Forcepoint Monsoon">^{<a href="https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf" target="_blank" data-hasqtip="101" aria-describedby="qtip-101">[102]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G1017"> G1017 </a> </td> <td> <a href="/groups/G1017"> Volt Typhoon </a> </td> <td> <p><a href="/groups/G1017">Volt Typhoon</a> has targeted network administrator browser data including browsing history and stored credentials.<span onclick=scrollToRef('scite-103') id="scite-ref-103-a" class="scite-citeref-number" title="CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024."data-reference="CISA AA24-038A PRC Critical Infrastructure February 2024">^{<a href="https://www.cisa.gov/sites/default/files/2024-03/aa24-038a_csa_prc_state_sponsored_actors_compromise_us_critical_infrastructure_3.pdf" target="_blank" data-hasqtip="102" aria-describedby="qtip-102">[103]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0670"> S0670 </a> </td> <td> <a href="/software/S0670"> WarzoneRAT </a> </td> <td> <p><a href="/software/S0670">WarzoneRAT</a> has the capability to grab passwords from numerous web browsers as well as from Outlook and Thunderbird email clients.<span onclick=scrollToRef('scite-104') id="scite-ref-104-a" class="scite-citeref-number" title="Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021."data-reference="Check Point Warzone Feb 2020">^{<a href="https://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/" target="_blank" data-hasqtip="103" aria-describedby="qtip-103">[104]</a>}</span><span onclick=scrollToRef('scite-105') id="scite-ref-105-a" class="scite-citeref-number" title="Mohanta, A. (2020, November 25). Warzone RAT comes with UAC bypass technique. Retrieved April 7, 2022."data-reference="Uptycs Warzone UAC Bypass November 2020">^{<a href="https://www.uptycs.com/blog/warzone-rat-comes-with-uac-bypass-technique" target="_blank" data-hasqtip="104" aria-describedby="qtip-104">[105]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0161"> S0161 </a> </td> <td> <a href="/software/S0161"> XAgentOSX </a> </td> <td> <p><a href="/software/S0161">XAgentOSX</a> contains the getFirefoxPassword function to attempt to locate Firefox passwords.<span onclick=scrollToRef('scite-106') id="scite-ref-106-a" class="scite-citeref-number" title="Robert Falcone. (2017, February 14). XAgentOSX: Sofacy's Xagent macOS Tool. Retrieved July 12, 2017."data-reference="XAgentOSX 2017">^{<a href="https://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/" target="_blank" data-hasqtip="105" aria-describedby="qtip-105">[106]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0251"> S0251 </a> </td> <td> <a href="/software/S0251"> Zebrocy </a> </td> <td> <p><a href="/software/S0251">Zebrocy</a> has the capability to upload dumper tools that extract credentials from web browsers and store them in database files.<span onclick=scrollToRef('scite-107') id="scite-ref-107-a" class="scite-citeref-number" title="ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019."data-reference="ESET Zebrocy May 2019">^{<a href="https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/" target="_blank" data-hasqtip="106" aria-describedby="qtip-106">[107]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0128"> G0128 </a> </td> <td> <a href="/groups/G0128"> ZIRCONIUM </a> </td> <td> <p><a href="/groups/G0128">ZIRCONIUM</a> has used a tool to steal credentials from installed web browsers including Microsoft Internet Explorer and Google Chrome.<span onclick=scrollToRef('scite-108') id="scite-ref-108-a" class="scite-citeref-number" title="Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021."data-reference="Zscaler APT31 Covid-19 October 2020">^{<a href="https://www.zscaler.com/blogs/security-research/apt-31-leverages-covid-19-vaccine-theme-and-abuses-legitimate-online" target="_blank" data-hasqtip="107" aria-describedby="qtip-107">[108]</a>}</span></p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id ="mitigations">Mitigations</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Mitigation</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> <a href="/mitigations/M1027"> M1027 </a> </td> <td> <a href="/mitigations/M1027"> Password Policies </a> </td> <td> <p>Organizations may consider weighing the risk of storing credentials in web browsers. If web browser credential disclosure is a significant concern, technical controls, policy, and user training may be used to prevent storage of credentials in web browsers.</p> </td> </tr> <tr> <td> <a href="/mitigations/M1021"> M1021 </a> </td> <td> <a href="/mitigations/M1021"> Restrict Web-Based Content </a> </td> <td> <p>Restrict or block web-based content that could be used to extract session cookies or credentials stored in browsers. Use browser security settings, such as disabling third-party cookies and restricting browser extensions, to limit the attack surface.</p> </td> </tr> <tr> <td> <a href="/mitigations/M1051"> M1051 </a> </td> <td> <a href="/mitigations/M1051"> Update Software </a> </td> <td> <p>Regularly update web browsers, password managers, and all related software to the latest versions. Keeping software up-to-date reduces the risk of vulnerabilities being exploited by attackers to extract stored credentials or session cookies.</p> </td> </tr> <tr> <td> <a href="/mitigations/M1018"> M1018 </a> </td> <td> <a href="/mitigations/M1018"> User Account Management </a> </td> <td> <p>Implement strict user account management policies to prevent unnecessary accounts from accessing sensitive systems. Regularly audit user accounts to identify and disable inactive accounts that may be targeted by attackers to extract credentials or gain unauthorized access.</p> </td> </tr> <tr> <td> <a href="/mitigations/M1017"> M1017 </a> </td> <td> <a href="/mitigations/M1017"> User Training </a> </td> <td> <p>Provide user training on secure practices for managing credentials, including avoiding storing sensitive passwords in browsers and using password managers securely. Users should also be educated on identifying phishing attempts that could steal session cookies or credentials.</p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="detection">Detection</h2> <div class="tables-mobile"> <table class="table datasources-table table-bordered"> <thead> <tr> <th class="p-2" scope="col">ID</th> <th class="p-2 nowrap" scope="col">Data Source</th> <th class="p-2 nowrap" scope="col">Data Component</th> <th class="p-2" scope="col">Detects</th> </tr> </thead> <tbody> <tr class="datasource" id="uses-DS0017"> <td> <a href="/datasources/DS0017">DS0017</a> </td> <td class="nowrap"> <a href="/datasources/DS0017">Command</a> </td> <!-- Add first data component here --> <td> <a href="/datasources/DS0017/#Command%20Execution">Command Execution</a> </td> <td> <p>Monitor executed commands and arguments that may acquire credentials from web browsers by reading files specific to the target browser.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019."data-reference="Talos Olympic Destroyer 2018">^{<a href="https://blog.talosintelligence.com/2018/02/olympic-destroyer.html" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span></p><p>Analytic 1 - Commands indicating credential searches in web browsers.</p><p><code> index=security sourcetype IN ("WinEventLog:Microsoft-Windows-Sysmon/Operational", "linux_secure", "macos_secure") event_type="process"(CommandLine IN ("<em>sqlite3</em> <em>logins</em>", "<em>CryptUnprotectData</em>", "<em>security find-internet-password</em>", "<em>sqlcipher</em> <em>logins</em>", "<em>strings</em> <em>Login Data</em>", "<em>cat</em> <em>Login Data</em>", "<em>cat</em> <em>logins.json</em>", "<em>sqlite3</em> <em>signons.sqlite</em>"))</code></p> </td> </tr> <tr class="datasource" id="uses-DS0022"> <td> <a href="/datasources/DS0022">DS0022</a> </td> <td class="nowrap"> <a href="/datasources/DS0022">File</a> </td> <!-- Add first data component here --> <td> <a href="/datasources/DS0022/#File%20Access">File Access</a> </td> <td> <p>Identify web browser files that contain credentials such as Google Chrome’s Login Data database file: <code>AppData\Local\Google\Chrome\User Data\Default\Login Data</code>. Monitor file read events of web browser files that contain credentials, especially when the reading process is unrelated to the subject web browser.</p><p>Analytic 1 - Unauthorized access to web browser credential files.</p><p><code>index=security sourcetype IN ("WinEventLog:Microsoft-Windows-Sysmon/Operational", "linux_secure", "macos_secure") event_type="file_open"((file_path IN ("<em>\AppData\Local\Google\Chrome\User Data\Default\Login Data", "</em>\AppData\Local\Microsoft\Edge\User Data\Default\Login Data", "<em>\AppData\Roaming\Mozilla\Firefox\Profiles\</em>\logins.json") AND Platform="Windows") OR (file_path IN ("/home/<em>/.mozilla/firefox/</em>/logins.json", "/home/<em>/.config/google-chrome/Default/Login Data") AND Platform="Linux") OR (file_path IN ("/Users/</em>/Library/Application Support/Google/Chrome/Default/Login Data", "/Users/<em>/Library/Application Support/Firefox/Profiles/</em>/logins.json") AND Platform="macOS")) </code></p> </td> </tr> <tr class="datasource" id="uses-DS0009"> <td> <a href="/datasources/DS0009">DS0009</a> </td> <td class="nowrap"> <a href="/datasources/DS0009">Process</a> </td> <!-- Add first data component here --> <td> <a href="/datasources/DS0009/#OS%20API%20Execution">OS API Execution</a> </td> <td> <p>Monitor for API calls that may acquire credentials from web browsers by reading files specific to the target browser.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019."data-reference="Talos Olympic Destroyer 2018">^{<a href="https://blog.talosintelligence.com/2018/02/olympic-destroyer.html" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span></p><p>Analytic 1 - Suspicious API calls related to web browser credential access.</p><p><code> index=security sourcetype IN ("WinEventLog:Microsoft-Windows-Sysmon/Operational", "linux_secure", "macos_secure") event_type="api_call"(api IN ("CryptUnprotectData", "NSS_Init", "PK11SDR_Decrypt", "SecItemCopyMatching", "SecItemAdd", "SecItemUpdate", "SecItemDelete"))</code></p> </td> </tr> <tr class="datacomponent datasource" id="uses-DS0009-Process Access"> <td></td> <td></td> <td> <a href="/datasources/DS0009/#Process%20Access">Process Access</a> </td> <td> <p>Monitor process execution logs to include PowerShell Transcription focusing on those that perform a combination of behaviors including reading web browser process memory, utilizing regular expressions, and those that contain numerous keywords for common web applications (Gmail, Twitter, Office365, etc.).</p><p>Analytic 1 - Unauthorized process access indicating credential searches in web browsers.</p><p><code>index=security sourcetype IN ("WinEventLog:Microsoft-Windows-Sysmon/Operational", "linux_secure", "macos_secure") event_type="process"(CommandLine IN ("<em>sqlite3</em> <em>logins</em>", "<em>sqlcipher</em> <em>logins</em>", "<em>db-browser</em> <em>Login Data</em>", "<em>db-browser</em> <em>logins.json</em>", "<em>CryptUnprotectData</em>", "<em>security find-internet-password</em>", "<em>security dump-keychain</em>", "<em>strings</em> <em>Login Data</em>", "<em>cat</em> <em>Login Data</em>", "<em>cat</em> <em>logins.json</em>", "<em>sqlite3</em> <em>signons.sqlite</em>")) </code></p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="references">References</h2> <div class="row"> <div class="col"> <ol> <li> <span id="scite-1" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-1" href="https://blog.talosintelligence.com/2018/02/olympic-destroyer.html" target="_blank"> Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019. </a> </span> </span> </li> <li> <span id="scite-2" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-2" href="https://docs.microsoft.com/en-us/windows/desktop/api/dpapi/nf-dpapi-cryptunprotectdata" target="_blank"> Microsoft. (2018, April 12). CryptUnprotectData function. Retrieved June 18, 2019. </a> </span> </span> </li> <li> <span id="scite-3" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-3" href="https://www.proofpoint.com/us/threat-insight/post/new-vega-stealer-shines-brightly-targeted-campaign" target="_blank"> Proofpoint. (2018, May 10). New Vega Stealer shines brightly in targeted campaign . Retrieved June 18, 2019. </a> </span> </span> </li> <li> <span id="scite-4" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-4" href="https://www.fireeye.com/blog/threat-research/2017/07/hawkeye-malware-distributed-in-phishing-campaign.html" target="_blank"> Swapnil Patil, Yogesh Londhe. (2017, July 25). HawkEye Credential Theft Malware Distributed in Recent Phishing Campaign. Retrieved June 18, 2019. </a> </span> </span> </li> <li> <span id="scite-5" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-5" href="https://github.com/putterpanda/mimikittenz" target="_blank"> Jamieson O'Reilly (putterpanda). (2016, July 4). mimikittenz. Retrieved June 20, 2019. </a> </span> </span> </li> <li> <span id="scite-6" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-6" href="https://labs.bitdefender.com/2020/04/oil-gas-spearphishing-campaigns-drop-agent-tesla-spyware-in-advance-of-historic-opec-deal/" target="_blank"> Arsene, L. (2020, April 21). Oil & Gas Spearphishing Campaigns Drop Agent Tesla Spyware in Advance of Historic OPEC+ Deal. Retrieved May 19, 2020. </a> </span> </span> </li> <li> <span id="scite-7" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-7" href="https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf" target="_blank"> Check Point Software Technologies. (2015). ROCKET KITTEN: A CAMPAIGN WITH 9 LIVES. Retrieved March 16, 2018. </a> </span> </span> </li> <li> <span id="scite-8" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-8" href="http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong" target="_blank"> Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016. </a> </span> </span> </li> <li> <span id="scite-9" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-9" href="https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage" target="_blank"> Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019. </a> </span> </span> </li> <li> <span id="scite-10" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-10" href="https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html" target="_blank"> Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019. </a> </span> </span> </li> <li> <span id="scite-11" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-11" href="https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf" target="_blank"> FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018. </a> </span> </span> </li> <li> <span id="scite-12" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-12" href="https://www.group-ib.com/blog/apt41-world-tour-2021/" target="_blank"> Nikita Rostovcev. (2022, August 18). APT41 World Tour 2021 on a tight schedule. Retrieved February 22, 2024. </a> </span> </span> </li> <li> <span id="scite-13" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-13" href="https://researchcenter.paloaltonetworks.com/2018/11/unit42-new-wine-old-bottle-new-azorult-variant-found-findmyname-campaign-using-fallout-exploit-kit/" target="_blank"> Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018. </a> </span> </span> </li> <li> <span id="scite-14" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-14" href="https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments" target="_blank"> Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016. </a> </span> </span> </li> <li> <span id="scite-15" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-15" href="https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf" target="_blank"> F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016. </a> </span> </span> </li> <li> <span id="scite-16" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-16" href="https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/" target="_blank"> Baumgartner, K. and Garnaeva, M.. (2014, November 3). BE2 custom plugins, router abuse, and target profiles. Retrieved March 24, 2016. </a> </span> </span> </li> <li> <span id="scite-17" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-17" href="https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/" target="_blank"> Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021. </a> </span> </span> </li> <li> <span id="scite-18" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-18" href="https://web.archive.org/web/20231227000328/http://pxnow.prevx.com/content/blog/carberp-a_modular_information_stealing_trojan.pdf" target="_blank"> Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved September 12, 2024. </a> </span> </span> </li> <li> <span id="scite-19" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-19" href="https://www.cybereason.com/hubfs/dam/collateral/reports/11-2020-Chaes-e-commerce-malware-research.pdf" target="_blank"> Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021. </a> </span> </span> </li> <li> <span id="scite-20" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-20" href="https://www.pwc.co.uk/cyber-security/pdf/pwc-uk-operation-cloud-hopper-technical-annex-april-2017.pdf" target="_blank"> PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017. </a> </span> </span> </li> <li> <span id="scite-21" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-21" href="https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/" target="_blank"> Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved July 22, 2020. </a> </span> </span> </li> <li> <span id="scite-22" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-22" href="https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" target="_blank"> F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015. </a> </span> </span> </li> <li> <span id="scite-23" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-23" href="https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf" target="_blank"> Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016. </a> </span> </span> </li> <li> <span id="scite-24" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-24" href="https://securelist.com/transparent-tribe-part-1/98127/" target="_blank"> Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021. </a> </span> </span> </li> <li> <span id="scite-25" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-25" href="https://documents.trendmicro.com/assets/white_papers/ExploringEmotetsActivities_Final.pdf" target="_blank"> Trend Micro. (2019, January 16). Exploring Emotet's Activities . Retrieved March 25, 2019. </a> </span> </span> </li> <li> <span id="scite-26" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-26" href="https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/" target="_blank"> Kessem, L., et al. (2017, November 13). New Banking Trojan IcedID Discovered by IBM X-Force Research. Retrieved July 14, 2020. </a> </span> </span> </li> <li> <span id="scite-27" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-27" href="https://github.com/PowerShellEmpire/Empire" target="_blank"> Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016. </a> </span> </span> </li> <li> <span id="scite-28" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-28" href="https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf" target="_blank"> Visa Public. (2019, February). FIN6 Cybercrime Group Expands Threat to eCommerce Merchants. Retrieved September 16, 2019. </a> </span> </span> </li> <li> <span id="scite-29" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-29" href="https://securityintelligence.com/posts/grandoreiro-malware-now-targeting-banks-in-spain/" target="_blank"> Abramov, D. (2020, April 13). Grandoreiro Malware Now Targeting Banks in Spain. Retrieved November 12, 2020. </a> </span> </span> </li> <li> <span id="scite-30" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-30" href="https://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/" target="_blank"> ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020. </a> </span> </span> </li> <li> <span id="scite-31" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-31" href="http://blogs.cisco.com/security/h1n1-technical-analysis-reveals-new-capabilities-part-2" target="_blank"> Reynolds, J.. (2016, September 14). H1N1: Technical analysis reveals new capabilities – part 2. Retrieved September 26, 2016. </a> </span> </span> </li> <li> <span id="scite-32" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-32" href="https://vblocalhost.com/uploads/VB2021-Kayal-etal.pdf" target="_blank"> Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022. </a> </span> </span> </li> <li> <span id="scite-33" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-33" href="https://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/" target="_blank"> QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020. </a> </span> </span> </li> <li> <span id="scite-34" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-34" href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies" target="_blank"> Symantec. (2018, March 14). Inception Framework: Alive and Well, and Hiding Behind Proxies. Retrieved May 8, 2020. </a> </span> </span> </li> <li> <span id="scite-35" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-35" href="https://securelist.com/the-tetrade-brazilian-banking-malware/97779/" target="_blank"> GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020. </a> </span> </span> </li> <li> <span id="scite-36" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-36" href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07195002/KL_AdwindPublicReport_2016.pdf" target="_blank"> Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019. </a> </span> </span> </li> <li> <span id="scite-37" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-37" href="https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/" target="_blank"> Guarnieri, C., Schloesser M. (2013, June 7). KeyBoy, Targeted Attacks against Vietnam and India. Retrieved June 14, 2019. </a> </span> </span> </li> <li> <span id="scite-38" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-38" href="https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite" target="_blank"> Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020. </a> </span> </span> </li> <li> <span id="scite-39" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-39" href="https://www.zdnet.com/article/cyber-espionage-group-uses-chrome-extension-to-infect-victims/" target="_blank"> Cimpanu, C.. (2018, December 5). Cyber-espionage group uses Chrome extension to infect victims. Retrieved August 26, 2019. </a> </span> </span> </li> <li> <span id="scite-40" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-40" href="https://us-cert.cisa.gov/ncas/alerts/aa20-301a" target="_blank"> CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020. </a> </span> </span> </li> <li> <span id="scite-41" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-41" href="https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/" target="_blank"> ASERT team. (2018, December 5). STOLEN PENCIL Campaign Targets Academia. Retrieved February 5, 2019. </a> </span> </span> </li> <li> <span id="scite-42" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-42" href="https://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html" target="_blank"> An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021. </a> </span> </span> </li> <li> <span id="scite-43" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-43" href="https://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html" target="_blank"> Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018. </a> </span> </span> </li> <li> <span id="scite-44" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-44" href="https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/" target="_blank"> MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022. </a> </span> </span> </li> <li> <span id="scite-45" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-45" href="https://github.com/AlessandroZ/LaZagne" target="_blank"> Zanni, A. (n.d.). The LaZagne Project !!!. Retrieved December 14, 2018. </a> </span> </span> </li> <li> <span id="scite-46" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-46" href="https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east" target="_blank"> Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018. </a> </span> </span> </li> <li> <span id="scite-47" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-47" href="https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319" target="_blank"> BI.ZONE Cyber Threats Research Team. (2021, May 13). From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker’s toolkit. Retrieved February 2, 2022. </a> </span> </span> </li> <li> <span id="scite-48" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-48" href="https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence--22" target="_blank"> Hoang, M. (2019, January 31). Malicious Activity Report: Elements of Lokibot Infostealer. Retrieved May 15, 2020. </a> </span> </span> </li> <li> <span id="scite-49" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-49" href="https://www.welivesecurity.com/wp-content/uploads/2019/08/ESET_Machete.pdf" target="_blank"> ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019. </a> </span> </span> </li> <li> <span id="scite-50" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-50" href="https://blog.scilabs.mx/en/cyber-threat-profile-malteiro/" target="_blank"> SCILabs. (2021, December 23). Cyber Threat Profile Malteiro. Retrieved March 13, 2024. </a> </span> </span> </li> <li> <span id="scite-51" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-51" href="https://blog.talosintelligence.com/manjusaka-offensive-framework/" target="_blank"> Asheer Malhotra & Vitor Ventura. (2022, August 2). Manjusaka: A Chinese sibling of Sliver and Cobalt Strike. Retrieved September 4, 2024. </a> </span> </span> </li> <li> <span id="scite-52" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-52" href="https://www.welivesecurity.com/2023/04/26/evasive-panda-apt-group-malware-updates-popular-chinese-software/" target="_blank"> Facundo Muñoz. (2023, April 26). Evasive Panda APT group delivers malware via updates for popular Chinese software. Retrieved July 25, 2024. </a> </span> </span> </li> <li> <span id="scite-53" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-53" href="https://symantec-enterprise-blogs.security.com/threat-intelligence/apt-attacks-telecoms-africa-mgbot" target="_blank"> Threat Hunter Team. (2023, April 20). Daggerfly: APT Actor Targets Telecoms Company in Africa. Retrieved July 25, 2024. </a> </span> </span> </li> <li> <span id="scite-54" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-54" href="https://github.com/gentilkiwi/mimikatz" target="_blank"> Deply, B. (n.d.). Mimikatz. Retrieved September 29, 2015. </a> </span> </span> </li> </ol> </div> <div class="col"> <ol start="55.0"> <li> <span id="scite-55" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-55" href="https://github.com/gentilkiwi/mimikatz/wiki/module-~-lsadump" target="_blank"> Deply, B., Le Toux, V. (2016, June 5). module ~ lsadump. Retrieved August 7, 2017. </a> </span> </span> </li> <li> <span id="scite-56" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-56" href="https://www.dsinternals.com/en/retrieving-dpapi-backup-keys-from-active-directory/" target="_blank"> Grafnetter, M. (2015, October 26). Retrieving DPAPI Backup Keys from Active Directory. Retrieved December 19, 2017. </a> </span> </span> </li> <li> <span id="scite-57" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-57" href="https://www.ncsc.gov.uk/report/joint-report-on-publicly-available-hacking-tools" target="_blank"> The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019. </a> </span> </span> </li> <li> <span id="scite-58" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-58" href="https://www.welivesecurity.com/2019/11/19/mispadu-advertisement-discounted-unhappy-meal/" target="_blank"> ESET Security. (2019, November 19). Mispadu: Advertisement for a discounted Unhappy Meal. Retrieved March 13, 2024. </a> </span> </span> </li> <li> <span id="scite-59" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-59" href="https://www.metabaseq.com/mispadu-banking-trojan/" target="_blank"> Garcia, F., Regalado, D. (2023, March 7). Inside Mispadu massive infection campaign in LATAM. Retrieved March 15, 2024. </a> </span> </span> </li> <li> <span id="scite-60" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-60" href="https://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf" target="_blank"> ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016. </a> </span> </span> </li> <li> <span id="scite-61" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-61" href="https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group" target="_blank"> Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018. </a> </span> </span> </li> <li> <span id="scite-62" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-62" href="https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html" target="_blank"> Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021. </a> </span> </span> </li> <li> <span id="scite-63" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-63" href="https://www.mandiant.com/resources/blog/dissecting-netwire-phishing-campaigns-usage-process-hollowing" target="_blank"> Maniath, S. and Kadam P. (2019, March 19). Dissecting a NETWIRE Phishing Campaign's Usage of Process Hollowing. Retrieved January 7, 2021. </a> </span> </span> </li> <li> <span id="scite-64" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-64" href="https://redcanary.com/blog/netwire-remote-access-trojan-on-linux/" target="_blank"> Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021. </a> </span> </span> </li> <li> <span id="scite-65" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-65" href="https://www.proofpoint.com/us/blog/threat-insight/geofenced-netwire-campaigns" target="_blank"> Proofpoint. (2020, December 2). Geofenced NetWire Campaigns. Retrieved January 7, 2021. </a> </span> </span> </li> <li> <span id="scite-66" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-66" href="https://www.threatminer.org/_reports/2013/fta-1009---njrat-uncovered-1.pdf" target="_blank"> Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: "njRAT" Uncovered. Retrieved June 4, 2019. </a> </span> </span> </li> <li> <span id="scite-67" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-67" href="https://blog.trendmicro.com/trendlabs-security-intelligence/autoit-compiled-worm-affecting-removable-media-delivers-fileless-version-of-bladabindi-njrat-backdoor/" target="_blank"> Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019. </a> </span> </span> </li> <li> <span id="scite-68" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-68" href="https://citizenlab.ca/2016/08/group5-syria/" target="_blank"> Scott-Railton, J., et al. (2016, August 2). Group5: Syria and the Iranian Connection. Retrieved September 26, 2016. </a> </span> </span> </li> <li> <span id="scite-69" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-69" href="https://pan-unit42.github.io/playbook_viewer/?pb=evasive-serpens" target="_blank"> Unit42. (2016, May 1). Evasive Serpens Unit 42 Playbook Viewer. Retrieved February 6, 2023. </a> </span> </span> </li> <li> <span id="scite-70" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-70" href="https://www.brighttalk.com/webcast/10703/296317/apt34-new-targeted-attack-in-the-middle-east" target="_blank"> Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017. </a> </span> </span> </li> <li> <span id="scite-71" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-71" href="https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf" target="_blank"> Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018. </a> </span> </span> </li> <li> <span id="scite-72" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-72" href="https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html" target="_blank"> Bromiley, M., et al.. (2019, July 18). Hard Pass: Declining APT34’s Invite to Join Their Professional Network. Retrieved August 26, 2019. </a> </span> </span> </li> <li> <span id="scite-73" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-73" href="https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf" target="_blank"> FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015. </a> </span> </span> </li> <li> <span id="scite-74" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-74" href="https://web.archive.org/web/20180825085952/https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf" target="_blank"> Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016. </a> </span> </span> </li> <li> <span id="scite-75" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-75" href="https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/" target="_blank"> Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech’s Cyber Espionage Campaigns. Retrieved May 5, 2020. </a> </span> </span> </li> <li> <span id="scite-76" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-76" href="https://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/" target="_blank"> Cherepanov, A.. (2018, July 9). Certificates stolen from Taiwanese tech‑companies misused in Plead malware campaign. Retrieved May 6, 2020. </a> </span> </span> </li> <li> <span id="scite-77" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-77" href="https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html" target="_blank"> Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020. </a> </span> </span> </li> <li> <span id="scite-78" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-78" href="http://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdf" target="_blank"> Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016. </a> </span> </span> </li> <li> <span id="scite-79" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-79" href="https://objective-see.com/blog/blog_0x25.html" target="_blank"> Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018. </a> </span> </span> </li> <li> <span id="scite-80" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-80" href="https://github.com/n1nj4sec/pupy" target="_blank"> Nicolas Verdier. (n.d.). Retrieved January 29, 2018. </a> </span> </span> </li> <li> <span id="scite-81" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-81" href="https://securelist.com/qakbot-technical-analysis/103931/" target="_blank"> Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021. </a> </span> </span> </li> <li> <span id="scite-82" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-82" href="https://github.com/quasar/QuasarRAT" target="_blank"> MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018. </a> </span> </span> </li> <li> <span id="scite-83" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-83" href="https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/" target="_blank"> Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018. </a> </span> </span> </li> <li> <span id="scite-84" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-84" href="https://blog.sekoia.io/raccoon-stealer-v2-part-2-in-depth-analysis/" target="_blank"> Pierre Le Bourhis, Quentin Bourgue, & Sekoia TDR. (2022, June 29). Raccoon Stealer v2 - Part 2: In-depth analysis. Retrieved August 1, 2024. </a> </span> </span> </li> <li> <span id="scite-85" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-85" href="https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf" target="_blank"> Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021. </a> </span> </span> </li> <li> <span id="scite-86" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-86" href="https://www.group-ib.com/resources/research-hub/red-curl/" target="_blank"> Group-IB. (2020, August). RedCurl: The Pentest You Didn’t Know About. Retrieved August 9, 2024. </a> </span> </span> </li> <li> <span id="scite-87" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-87" href="https://www.group-ib.com/resources/research-hub/red-curl-2/" target="_blank"> Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024. </a> </span> </span> </li> <li> <span id="scite-88" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-88" href="http://web.archive.org/web/20220810112638/https:/www.accenture.com/t20180423T055005Z_w_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf" target="_blank"> Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018. </a> </span> </span> </li> <li> <span id="scite-89" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-89" href="https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html" target="_blank"> Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018. </a> </span> </span> </li> <li> <span id="scite-90" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-90" href="https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" target="_blank"> Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020. </a> </span> </span> </li> <li> <span id="scite-91" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-91" href="https://github.com/byt3bl33d3r/SILENTTRINITY/tree/master/silenttrinity/core/teamserver/modules/boo" target="_blank"> Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022. </a> </span> </span> </li> <li> <span id="scite-92" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-92" href="https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html#more" target="_blank"> Baker, B., Unterbrink H. (2018, July 03). Smoking Guns - Smoke Loader learned new tricks. Retrieved July 5, 2018. </a> </span> </span> </li> <li> <span id="scite-93" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-93" href="https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" target="_blank"> CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022. </a> </span> </span> </li> <li> <span id="scite-94" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-94" href="https://citizenlab.org/2016/05/stealth-falcon/" target="_blank"> Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016. </a> </span> </span> </li> <li> <span id="scite-95" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-95" href="https://www.mandiant.com/resources/blog/suspected-iranian-actor-targeting-israeli-shipping" target="_blank"> Mandiant Israel Research Team. (2022, August 17). Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors. Retrieved September 21, 2022. </a> </span> </span> </li> <li> <span id="scite-96" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-96" href="https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta505-dridex-globeimposter" target="_blank"> Proofpoint Staff. (2017, September 27). Threat Actor Profile: TA505, From Dridex to GlobeImposter. Retrieved May 28, 2019. </a> </span> </span> </li> <li> <span id="scite-97" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-97" href="https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-shows-off-new-trick-password-grabber-module/" target="_blank"> Anthony, N., Pascual, C.. (2018, November 1). Trickbot Shows Off New Trick: Password Grabber Module. Retrieved November 16, 2018. </a> </span> </span> </li> <li> <span id="scite-98" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-98" href="https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware" target="_blank"> Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020. </a> </span> </span> </li> <li> <span id="scite-99" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-99" href="https://www.bitdefender.com/files/News/CaseStudies/study/399/Bitdefender-PR-Whitepaper-Trickbot-creat5515-en-EN.pdf" target="_blank"> Radu Tudorica. (2021, July 12). A Fresh Look at Trickbot’s Ever-Improving VNC Module. Retrieved September 28, 2021. </a> </span> </span> </li> <li> <span id="scite-100" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-100" href="https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector" target="_blank"> Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020. </a> </span> </span> </li> <li> <span id="scite-101" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-101" href="https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html" target="_blank"> Tomonaga, S. (2018, March 6). Malware “TSCookie”. Retrieved May 6, 2020. </a> </span> </span> </li> <li> <span id="scite-102" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-102" href="https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf" target="_blank"> Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016. </a> </span> </span> </li> <li> <span id="scite-103" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-103" href="https://www.cisa.gov/sites/default/files/2024-03/aa24-038a_csa_prc_state_sponsored_actors_compromise_us_critical_infrastructure_3.pdf" target="_blank"> CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024. </a> </span> </span> </li> <li> <span id="scite-104" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-104" href="https://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/" target="_blank"> Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021. </a> </span> </span> </li> <li> <span id="scite-105" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-105" href="https://www.uptycs.com/blog/warzone-rat-comes-with-uac-bypass-technique" target="_blank"> Mohanta, A. (2020, November 25). Warzone RAT comes with UAC bypass technique. Retrieved April 7, 2022. </a> </span> </span> </li> <li> <span id="scite-106" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-106" href="https://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/" target="_blank"> Robert Falcone. (2017, February 14). XAgentOSX: Sofacy's Xagent macOS Tool. Retrieved July 12, 2017. </a> </span> </span> </li> <li> <span id="scite-107" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-107" href="https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/" target="_blank"> ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019. </a> </span> </span> </li> <li> <span id="scite-108" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-108" href="https://www.zscaler.com/blogs/security-research/apt-31-leverages-covid-19-vaccine-theme-and-abuses-legitimate-online" target="_blank"> Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021. </a> </span> </span> </li> </ol> </div> </div> </div> </div> </div> </div> </div> </div> <!--stop-indexing-for-search--> <!-- search overlay for entire page -- not displayed inline --> <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner"> <!-- text input for searching --> <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">&times;</div> </div> </div> <!-- results and controls for loading more results --> <div id="search-body" class="search-body"> <div class="results" id="search-results"> <!-- content will be appended here on search --> </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <div class="row flex-grow-0 flex-shrink-1"> <!-- footer elements --> <footer class="col footer"> <div class="container-fluid"> <div class="row row-footer"> <div class="col-2 col-sm-2 col-md-2"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="footer-link-group"> <div class="row row-footer"> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/engage-with-attack/contact" class="footer-link">Contact Us</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/legal-and-branding/terms-of-use" class="footer-link">Terms of Use</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/legal-and-branding/privacy" class="footer-link">Privacy Policy</a></u> </div> <div class="px-3"> <u class="footer-link"><a href="/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" data-html="true" title="ATT&amp;CK content v16.1&#013;Website v4.2.1">Website Changelog</a></u> </div> </div> <div class="row"> <small class="px-3"> &copy;&nbsp;2015&nbsp;-&nbsp;2024, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </small> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col pr-4"> <div class="footer-float-right-responsive-brand"> <div class="row row-footer row-footer-icon"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-footer"> <i class="fa-brands fa-x-twitter fa-lg"></i> </a> <a href="https://github.com/mitre-attack" class="btn btn-footer"> <i class="fa-brands fa-github fa-lg"></i> </a> </div> </div> </div> </div> </div> </div> </div> </footer> </div> </div> <!--stopindex--> </div> <!--SCRIPTS--> <script src="/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/theme/scripts/popper.min.js"></script> <script src="/theme/scripts/bootstrap-select.min.js"></script> <script src="/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/theme/scripts/site.js"></script> <script src="/theme/scripts/settings.js"></script> <script src="/theme/scripts/search_bundle.js"></script> <!--SCRIPTS--> <script src="/theme/scripts/resizer.js"></script> <!--SCRIPTS--> <script src="/theme/scripts/bootstrap-tourist.js"></script> <script src="/theme/scripts/settings.js"></script> <script src="/theme/scripts/tour/tour-subtechniques.js"></script> <script src="/theme/scripts/sidebar-load-all.js"></script> </body> </html>