
Operation AppleJeus: North Korea’s Cryptocurrency Malware
After releasing Operation AppleJeus, the Lazarus group continued to use a similar modus operandi in order to compromise cryptocurrency businesses.
Indicators of Compromise
Domains (25)
celasllc.comwfcwallet.comcyptian.comindex.doaeroplans.infowww.private-kurier.comwww.jmttrading.orgbeastgoc.comunioncrypto.vipwww.buckfast-zucht.deinvesuccess.comwww.wb-invest.netwww.wb-bot.orgmydealoman.comwww.chainfun365.coma8332f3a.bitcoin-dns.hosting1a7ea920.bitcoin-dns.hostingwww.celasllc.comwww.domains4bitcoins.comlibertyvps.net+5 moreHashes (114)
c2ffbf7f2f98c73b98198b4937119a18055829e7600dbdae9f381f83f8e4ff36267a64ed23336b4a3315550c74803611e1953fa319cc11c2f003ad0542bca82255ec67fa6572e65eae822c0b90dc82160f03ec3487578cef2398b5b732631fec24b3614d5c5e53e40b42b4e057001770dd03c6eb62c9bf9adaf831f1d7adcbabbb04d77bda3ae9c9c3b6347f7aef19acf221349437f2f6707ecb2a75c3f39145b63e8d4277b190e2e3f5236f07f89eeebe37637d8f6c1fbe7f3ffc702afdfe1d3efeccfc6daf0bf99dcb36f2473640528b4c532f10603a8e199aa4281384764ebb66ab2db0bad88ac6b829085164cbbbdab34d94ca08ba5b25edadfe67ae4607cb56955b70c87767dee81e23503086c3f051a18f79736799ac66f4ef7b28594be35b15b2c8bb9eda8bc4021accf7038da9e960948fdac81579d3b752e49aceda+94 moreIPv4 (8)
185.228.83.32172.81.135.19495.213.232.17023.254.217.53108.174.195.134104.168.218.42185.243.115.17104.168.167.16APT Groups
Lazarus Group
Korea, Democratic People's Republic of
Notes
<div><div>In 2018, Kaspersky published a report on one of their campaigns, named Operation AppleJeus. Notably, this operation marked the first time Lazarus had targeted macOS users, with the group inventing a fake company in order to deliver their manipulated application and exploit the high level of trust among potential victims. As a result of our ongoing efforts, we identified significant changes to the group’s attack methodology. To attack macOS users, the Lazarus group has developed homemade macOS malware, and added an authentication mechanism to deliver the next stage payload very carefully, as well as loading the next-stage payload without touching the disk. In addition, to attack Windows users, they have elaborated a multi-stage infection procedure, and significantly changed the final payload. We assess that the Lazarus group has been more careful in its attacks following the release of Operation AppleJeus and they have employed a number of methods to avoid being detected.</div><div><br></div><div>After releasing Operation AppleJeus, the Lazarus group continued to use a similar modus operandi in order to compromise cryptocurrency businesses. We found more macOS malware similar to that used in the original Operation AppleJeus case. This macOS malware used public source code in order to build crafted macOS installers. The malware authors used QtBitcoinTrader developed by Centrabit.</div></div>
Mitigation
<div class="field field--name-field-aa-technical-details field--type-text-long field--label-hidden field--item" style="box-sizing: border-box; color: rgb(51, 51, 51); font-family: ""><p class="text-align-center" style="box-sizing: border-box; margin-bottom: 10px; line-height: 1.5; font-size: 16px; text-align: center;"><em style="box-sizing: border-box;">MITRE ATT&CK techniques observed</em></p><table border="1" cellpadding="1" cellspacing="1" class="general-table" style="box-sizing: border-box; border-collapse: collapse; border-spacing: 0px; background-color: transparent; width: 600px; height: 312px; margin-left: auto; margin-right: auto;"><thead style="box-sizing: border-box;"><tr style="box-sizing: border-box; background-color: rgb(241, 241, 241);"><th style="box-sizing: border-box; padding: 0px; text-align: left;"><strong style="box-sizing: border-box;">Tactic Title</strong></th><th style="box-sizing: border-box; padding: 0px; text-align: left;"><strong style="box-sizing: border-box;">Technique ID</strong></th><th style="box-sizing: border-box; padding: 0px; text-align: left;"><strong style="box-sizing: border-box;">Technique Title</strong></th></tr></thead><tbody style="box-sizing: border-box;"><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px;"><a href="https://attack.mitre.org/versions/v8/tactics/TA0042/" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">Resource Development [TA0042]</a></td><td style="box-sizing: border-box; padding: 0px;">T1583.001</td><td style="box-sizing: border-box; padding: 0px;">Acquire Infrastructure: Domain</td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px;"><a href="https://attack.mitre.org/versions/v8/tactics/TA0042/" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">Resource Development [TA0042]</a></td><td style="box-sizing: border-box; padding: 0px;">T1583.006</td><td style="box-sizing: border-box; padding: 0px;">Acquire Infrastructure: Web Services</td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px;"><a href="https://attack.mitre.org/versions/v8/tactics/TA0042/" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">Resource Development [TA0042]</a></td><td style="box-sizing: border-box; padding: 0px;">T1587.001</td><td style="box-sizing: border-box; padding: 0px;">Develop Capabilities: Malware</td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px;"><a href="https://attack.mitre.org/versions/v8/tactics/TA0042/" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">Resource Development [TA0042]</a></td><td style="box-sizing: border-box; padding: 0px;">T1588.003</td><td style="box-sizing: border-box; padding: 0px;">Obtain Capabilities: Code Signing Certificates</td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px;"><a href="https://attack.mitre.org/versions/v8/tactics/TA0042/" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">Resource Development [TA0042]</a></td><td style="box-sizing: border-box; padding: 0px;">T1588004</td><td style="box-sizing: border-box; padding: 0px;">Obtain Capabilities: Digital Certificates</td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px;"><a href="https://attack.mitre.org/versions/v8/tactics/TA0001" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">Initial Access [TA0001]</a></td><td style="box-sizing: border-box; padding: 0px;"><span style="box-sizing: border-box; font-size: 11pt; line-height: 16.8667px; font-family: Arial, sans-serif;">T1566.002</span></td><td style="box-sizing: border-box; padding: 0px;">Phishing: Spearphishing Link</td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px;"><a href="https://attack.mitre.org/versions/v8/tactics/TA0002" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">Execution [TA0002]</a></td><td style="box-sizing: border-box; padding: 0px;">T1059</td><td style="box-sizing: border-box; padding: 0px;">Command and Scripting Interpreter</td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px;"><a href="https://attack.mitre.org/versions/v8/tactics/TA0002" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">Execution [TA0002]</a></td><td style="box-sizing: border-box; padding: 0px;">T1059.004</td><td style="box-sizing: border-box; padding: 0px;">Command and Scripting Interpreter: Unix Shell</td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px;"><a href="https://attack.mitre.org/versions/v8/tactics/TA0002" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">Execution [TA0002]</a></td><td style="box-sizing: border-box; padding: 0px;">T1204.002</td><td style="box-sizing: border-box; padding: 0px;">User Execution: Malicious File</td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px;"><a href="https://attack.mitre.org/versions/v8/tactics/TA0003" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">Persistence [TA0003]</a></td><td style="box-sizing: border-box; padding: 0px;">T1053.004</td><td style="box-sizing: border-box; padding: 0px;">Scheduled Task/Job: Launchd</td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px;"><a href="https://attack.mitre.org/versions/v8/tactics/TA0003" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">Persistence [TA0003]</a></td><td style="box-sizing: border-box; padding: 0px;">T1543.004</td><td style="box-sizing: border-box; padding: 0px;">Create or Modify System Process: Launch Daemon</td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px;"><a href="https://attack.mitre.org/versions/v8/tactics/TA0003" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">Persistence [TA0003]</a></td><td style="box-sizing: border-box; padding: 0px;">T1547</td><td style="box-sizing: border-box; padding: 0px;">Boot or Logon Autostart Execution</td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px;"><a href="https://attack.mitre.org/versions/v8/tactics/TA0004" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">Privilege Escalation [TA0004]</a></td><td style="box-sizing: border-box; padding: 0px;">T1053.005</td><td style="box-sizing: border-box; padding: 0px;">Scheduled Task/Job: Scheduled Task</td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px;"><a href="https://attack.mitre.org/versions/v8/tactics/TA0005" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">Defense Evasion [TA0005]</a></td><td style="box-sizing: border-box; padding: 0px;">T1027</td><td style="box-sizing: border-box; padding: 0px;">Obfuscated Files or Information</td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px;"><a href="https://attack.mitre.org/versions/v8/tactics/TA0005" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">Defense Evasion [TA0005]</a></td><td style="box-sizing: border-box; padding: 0px;">T1548</td><td style="box-sizing: border-box; padding: 0px;">Abuse Elevation Control Mechanism</td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px;"><a href="https://attack.mitre.org/versions/v8/tactics/TA0005" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">Defense Evasion [TA0005]</a></td><td style="box-sizing: border-box; padding: 0px;">T1564.001</td><td style="box-sizing: border-box; padding: 0px;">Hide Artifacts: Hidden Files and Directories</td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px;"><a href="https://attack.mitre.org/versions/v8/tactics/TA0007" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">Discovery [TA0007]</a></td><td style="box-sizing: border-box; padding: 0px;">T1033</td><td style="box-sizing: border-box; padding: 0px;">System Owner/User Discovery</td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px;"><a href="https://attack.mitre.org/versions/v8/tactics/TA0010" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">Exfiltration [TA0010]</a></td><td style="box-sizing: border-box; padding: 0px;">T1041</td><td style="box-sizing: border-box; padding: 0px;">Exfiltration Over C2 Channel</td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px;"><a href="https://attack.mitre.org/versions/v8/tactics/TA0011" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">Command and Control [TA0011]</a></td><td style="box-sizing: border-box; padding: 0px;">T1071.001</td><td style="box-sizing: border-box; padding: 0px;"><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5; font-size: 16px;">Application Layer Protocol: Web Protocols</p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px;"><a href="https://attack.mitre.org/versions/v8/tactics/TA0011" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">Command and Control [TA0011]</a></td><td style="box-sizing: border-box; padding: 0px;">T1573</td><td style="box-sizing: border-box; padding: 0px;">Encrypted Channel</td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px;"><a href="https://attack.mitre.org/versions/v8/tactics/TA0011" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">Command and Control [TA0011]</a></td><td style="box-sizing: border-box; padding: 0px;"><span style="box-sizing: border-box; font-size: 11pt; line-height: 16.8667px; font-family: Arial, sans-serif;">T1573.001</span></td><td style="box-sizing: border-box; padding: 0px;">Encrypted Channel: Symmetric Cryptography</td></tr></tbody></table><br></div><div class="field field--name-field-aa-technical-details field--type-text-long field--label-hidden field--item" style="box-sizing: border-box; color: rgb(51, 51, 51); font-family: ""><p style="box-sizing: border-box; margin-bottom: 10px; line-height: 1.5; font-size: 16px;">Consider the following recommendations for defense against AppleJeus malware and related activity.</p><h4 style="box-sizing: border-box; line-height: 1.1; margin-top: 10px; margin-bottom: 10px; font-size: 18px; letter-spacing: normal;"><em style="box-sizing: border-box;">Cryptocurrency Users</em></h4><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em; font-size: 16px;"><li style="box-sizing: border-box;">Verify source of cryptocurrency-related applications.</li><li style="box-sizing: border-box;">Use multiple wallets for key storage, striking the appropriate risk balance between hot and cold storage.</li><li style="box-sizing: border-box;">Use custodial accounts with multi-factor authentication mechanisms for both user and device verification.</li><li style="box-sizing: border-box;">Patronize cryptocurrency service businesses that offer indemnity protections for lost or stolen cryptocurrency.</li><li style="box-sizing: border-box;">Consider having a dedicated device for cryptocurrency management.</li></ul><h4 style="box-sizing: border-box; line-height: 1.1; margin-top: 10px; margin-bottom: 10px; font-size: 18px; letter-spacing: normal;"><em style="box-sizing: border-box;">Financial Service Companies</em></h4><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em; font-size: 16px;"><li style="box-sizing: border-box;">Verify compliance with Federal Financial Institutions Examination Council (FFIEC) handbooks at <a href="https://ithandbook.ffiec.gov/" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">https://ithandbook.ffiec.gov</a>, especially those related to information security.</li><li style="box-sizing: border-box;">Report suspicious cyber and financial activities. For more information on mandatory and voluntary reporting of cyber events via suspicious activity reports, see the Financial Crimes Enforcement Network (FinCEN) Advisory FIN-2016-A005: Advisory to Financial Institutions on Cyber- Events and Cyber-Enabled Crime at <a href="https://www.fincen.gov/sites/default/files/advisory/2016-10-25/Cyber%20Threats%20Advisory%20-%20FINAL%20508_2.pdf" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">https://www.fincen.gov/sites/default/files/advisory/2016-10-25/Cyber%20Threats%20Advisory%20-%20FINAL%20508_2.pdf</a> and FinCEN’s Section 314(b) Fact Sheet at <a href="https://www.fincen.gov/sites/default/files/shared/314bfactsheet.pdf" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">https://www.fincen.gov/sites/default/files/shared/314bfactsheet.pdf</a>.</li></ul><h4 style="box-sizing: border-box; line-height: 1.1; margin-top: 10px; margin-bottom: 10px; font-size: 18px; letter-spacing: normal;"><em style="box-sizing: border-box;">Cryptocurrency Businesses</em></h4><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 10px; padding-left: 1.5em; font-size: 16px;"><li style="box-sizing: border-box;">Verify compliance with the Cryptocurrency Security Standard at <a href="http://cryptoconsortium.github.io/CCSS/" class="ext" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">http://cryptoconsortium.github.io/CCSS/</a></li></ul><div><span style="font-size: 16px;"><br></span></div><div><p class="text-align-center" style="box-sizing: border-box; margin-bottom: 10px; line-height: 1.5; font-size: 16px; text-align: center;"><em style="box-sizing: border-box;">MITRE ATT&CK mitigations based on observed techniques</em></p><table border="1" cellpadding="1" cellspacing="1" class="general-table" style="box-sizing: border-box; border-collapse: collapse; border-spacing: 0px; width: 600px; height: 312px; margin-left: auto; margin-right: auto;"><thead style="box-sizing: border-box;"><tr style="box-sizing: border-box; background-color: rgb(241, 241, 241);"><th style="box-sizing: border-box; padding: 0px; text-align: left;"><strong style="box-sizing: border-box;">Mitigation</strong></th><th style="box-sizing: border-box; padding: 0px; text-align: left;"><strong style="box-sizing: border-box;">Description</strong></th></tr></thead><tbody style="box-sizing: border-box;"><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px;"><a href="https://attack.mitre.org/versions/v8/mitigations/M1017" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">User Training [M1017]</a></td><td style="box-sizing: border-box; padding: 0px;">Train users to identify social engineering techniques and spearphishing emails.</td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px;"><a href="https://attack.mitre.org/versions/v8/mitigations/M1017" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">User Training [M1017]</a></td><td style="box-sizing: border-box; padding: 0px;">Provide users with the awareness of common phishing and spearphishing techniques and raise suspicion for potentially malicious events.</td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px;"><a href="https://attack.mitre.org/versions/v8/mitigations/M1018" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">User Account Management [M1018]</a></td><td style="box-sizing: border-box; padding: 0px;">Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create new Launch Daemons.</td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px;"><a href="https://attack.mitre.org/versions/v8/mitigations/M1018" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">User Account Management [M1018]</a></td><td style="box-sizing: border-box; padding: 0px;">Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create scheduled tasks on remote systems.</td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px;"><a href="https://attack.mitre.org/versions/v8/mitigations/M1020" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">SSL/TLS Inspection [M1020]</a></td><td style="box-sizing: border-box; padding: 0px;">Use SSL/TLS inspection to see encrypted sessions’ contents to look for network-based indicators of malware communication protocols.</td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px;"><a href="https://attack.mitre.org/versions/v8/mitigations/M1021" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">Restrict Web-Based Content [M1021]</a></td><td style="box-sizing: border-box; padding: 0px;">Determine if certain websites that can be used for spearphishing are necessary for business operations and consider blocking access if the activity cannot be monitored well or poses a significant risk.</td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px;"><a href="https://attack.mitre.org/versions/v8/mitigations/M1021" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">Restrict Web-Based Content [M1021]</a></td><td style="box-sizing: border-box; padding: 0px;">Block Script extensions to prevent the execution of scripts and HTA files that may commonly be used during the exploitation process.</td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px;"><a href="https://attack.mitre.org/versions/v8/mitigations/M1021" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">Restrict Web-Based Content [M1021]</a></td><td style="box-sizing: border-box; padding: 0px;">Employ an adblocker to prevent malicious code served up through ads from executing.</td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px;"><a href="https://attack.mitre.org/versions/v8/mitigations/M1022" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">Restrict File and Directory Permissions [M1022]</a></td><td style="box-sizing: border-box; padding: 0px;">Prevent all users from writing to the <code style="box-sizing: border-box; font-family: Menlo, Monaco, Consolas, " font-size: 12.6px; padding: 2px 4px; color: rgb(0, 113, 188); border-radius: 4px;">/Library/StartupItems </code>directory to prevent any startup items from getting registered since <code style="box-sizing: border-box; font-family: Menlo, Monaco, Consolas, " font-size: 12.6px; padding: 2px 4px; color: rgb(0, 113, 188); border-radius: 4px;">StartupItems</code> are deprecated.</td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px;"><a href="https://attack.mitre.org/versions/v8/mitigations/M1026" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">Privileged Account Management [M1026]</a></td><td style="box-sizing: border-box; padding: 0px;">When PowerShell is necessary, restrict PowerShell execution policy to administrators. Be aware that there are methods of bypassing the PowerShell execution policy, depending on environment configuration.</td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px;"><a href="https://attack.mitre.org/versions/v8/mitigations/M1026" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">Privileged Account Management [M1026]</a></td><td style="box-sizing: border-box; padding: 0px;">Configure the Increase Scheduling Priority option only to allow the Administrators group the rights to schedule a priority process.</td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px;"><a href="https://attack.mitre.org/versions/v8/mitigations/M1028" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">Operating System Configuration [M1028]</a></td><td style="box-sizing: border-box; padding: 0px;">Configure settings for scheduled tasks to force tasks to run under the authenticated account’s context instead of allowing them to run as SYSTEM.</td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px;"><a href="https://attack.mitre.org/versions/v8/mitigations/M1031" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">Network Intrusion Prevention [M1031]</a></td><td style="box-sizing: border-box; padding: 0px;">Use network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware and mitigate activity at the network level.</td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px;"><a href="https://attack.mitre.org/versions/v8/mitigations/M1038" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">Execution Prevention [M1038]</a></td><td style="box-sizing: border-box; padding: 0px;">Use application control tools where appropriate.</td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px;"><a href="https://attack.mitre.org/versions/v8/mitigations/M1038" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">Execution Prevention [M1038]</a></td><td style="box-sizing: border-box; padding: 0px;">Use application control tools to prevent the running of executables masquerading as other files.</td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px;"><a href="https://attack.mitre.org/versions/v8/mitigations/M1040" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">Behavior Prevention on Endpoint [M1040]</a></td><td style="box-sizing: border-box; padding: 0px;">Configure endpoint (if possible) to block some process injection types based on common sequences of behavior during the injection process.</td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px;"><a href="https://attack.mitre.org/versions/v8/mitigations/M1042" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">Disable or Remove Feature or Program [M1042]</a></td><td style="box-sizing: border-box; padding: 0px;">Disable or remove any unnecessary or unused shells or interpreters.</td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px;"><a href="https://attack.mitre.org/versions/v8/mitigations/M1045" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">Code Signing [M1045]</a></td><td style="box-sizing: border-box; padding: 0px;">Where possible, only permit the execution of signed scripts.</td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px;"><a href="https://attack.mitre.org/versions/v8/mitigations/M1047" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">Audit [M1047]</a></td><td style="box-sizing: border-box; padding: 0px;">Audit logging for <code style="box-sizing: border-box; font-family: Menlo, Monaco, Consolas, " font-size: 12.6px; padding: 2px 4px; color: rgb(0, 113, 188); border-radius: 4px;">launchd</code> events in macOS can be reviewed or centrally collected using multiple options, such as Syslog, OpenBSM, or OSquery.</td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px;"><a href="https://attack.mitre.org/versions/v8/mitigations/M1047" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">Audit [M1047]</a></td><td style="box-sizing: border-box; padding: 0px;">Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for permission weaknesses in scheduled tasks that could be used to escalate privileges.</td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0px;"><a href="https://www.cisa.gov/uscert/ncas/alerts/Antivirus/Antimalware%20[M1049]" style="box-sizing: border-box; background-color: transparent; color: rgb(43, 114, 175);">Antivirus/Antimalware [M1049]</a></td><td style="box-sizing: border-box; padding: 0px;">Use an antivirus program to quarantine suspicious files automatically.</td></tr></tbody></table><p style="box-sizing: border-box; margin-bottom: 0px; line-height: 1.5; font-size: 16px;"> </p></div></div><a id="mitigations" style="box-sizing: border-box; color: rgb(43, 114, 175); font-family: ""></a><span style="color: rgb(51, 51, 51); font-family: ""></span>