![]() WhisperGate can download additional payloads hosted on a Discord channel. Turla has used legitimate web services including Pastebin, Dropbox, and GitHub for C2 communications. TeamTNT has leveraged to send collected data back to C2. Snip3 can download additional payloads from web services including Pastebin and top4top. SMOKEDHAM has used Google Drive and Dropbox to host files downloaded by victims via malicious links. Sibot has used a legitimate compromised website to download DLLs to the victim's machine. ![]() SharpStage has used a legitimate web service for evading detection. Rocke has used Pastebin, Gitee, and GitLab for Command and Control. ĭuring Operation Spalax, the threat actors used OneDrive and MediaFire to host payloads. Ngrok has been used by threat actors to proxy C2 connections to ngrok service subdomains. NETWIRE has used web services including Paste.ee to host payloads. Mustang Panda has used DropBox URLs to deliver variants of PlugX. LazyScripter has used GitHub to host its payloads to operate spam campaigns. Zapier's automation tools make it easy to connect Discord and Google Drive. Inception has incorporated at least five different cloud service providers into their C2 infrastructure including CloudMe. Set up the Discord trigger, and make magic happen automatically in Google Drive. Hildegard has downloaded scripts from GitHub. GuLoader has the ability to download malware from Google Drive. NET executable on the compromised system. ![]() Gamaredon Group has used GitHub repositories for downloaders which will be obtained by the group's. įox Kitten has used Amazon Web Services to host C2. įIN8 has used sslip.io, a free IP to domain mapping service that also makes SSL certificate generation easier for traffic encryption, as part of their command and control. įIN6 has used Pastebin and Google Storage to host content for their operations. ĮXOTIC LILY has used file-sharing services including WeTransfer, TransferNow, and OneDrive to deliver payloads. Įmber Bear has used Discord's content delivery network (CDN) to deliver malware and malicious scripts to a compromised host. ĭropBook can communicate with its operators by exploiting the Simplenote, DropBox, and the social media platform, Facebook, where it can create fake accounts to control the backdoor and receive instructions. ĭoki has used the API to generate a C2 address. ĭarkTortilla can retrieve its primary payload from public sites such as Pastebin and Textbin. ĬharmPower can download additional modules from actor-controlled Amazon S3 buckets. Ĭarbon can use Pastebin to receive C2 commands. ĭuring C0027, Scattered Spider downloaded tools from sites including file.io, GitHub, and paste.ee. ĭuring C0017, APT41 used the Cloudflare services for C2 communications. īumblebee has been downloaded to victim's machines from OneDrive. īrute Ratel C4 can use legitimate websites for external C2 channels including Slack, Discord, and MS Teams. īoomBox can download files from Dropbox using a hardcoded access token. īazar downloads have been hosted on Google Docs. īADHATCH can be utilized to abuse sslip.io, a free IP to domain mapping service, as part of actor-controlled C2 channels. APT32 has used Dropbox, Amazon S3, and Google Drive to host malicious downloads.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |