
Guard Your Vaults: CHAVECLOAK Emerges as a Menace to Brazil's Financial Landscape
Targeting Brazil's financial sector, the CHAVECLOAK banking Trojan uses PDFs, ZIP downloads, DLL sideloads, and misleading pop-ups, as well as smishing, phishing emails, and compromised websites to steal banking information from users. Researchers have identified a threat actor who initially distributed this sophisticated Trojan via a malicious PDF and then sideloaded the DLL for ZIP file download and execution. This campaign was specifically designed to steal financial data from Brazilian banking users.
Indicators of Compromise
Domains (2)
comunidadebet20102.hopto.orgmariashow.ddns.netHashes (19)
8992089394435b280c4e36aee7de673a5adf5af948c9423591ec345fc70f31ba46755b5d225d78049cfb6433a3cb86b4ebb5a028556b298fc3728ca599b4231d1311f2e49f3e00d1fea6fc878029babdca3a1579be0ae771ffd9942fb2b9e4d5d70ad6c0aa5033b48b39baec4b955e8dfa585d54263fd84fea41a46554621ee46b769a706f6f965c4ab3024e7660892ce6e8ba2c6366193752f9c0b26beedca05c57dcb68470300651512659f639e2b6e492bba8f956689ac08f792057753705bf4b9273472c72c4763205980a62c43e602983c3ba5a493604280958634542fdd6581dd68b88b994bc2291bf41c60375b21620225a927de35b5620f913085c8d534b6b32564fe6c366ee1bea6f3e607d54e98d884c3d280e73abf5be85fd61682ca1b23be99b6d46ce1bbd7ed16ea62c900802d8efff1d206bac691342678e558f7db4b0bfe53475c63f4e8f31b89e4c67231616c371047910a709f65fd85d10cde0ca4fc5d3742910f8d35b510a0ad133654add827e969a7cdd2b77dc91287cbd4def46cf1ae2f0131d2aa44782c8100c563cd5febf49fcb4d26952d7e6e2ef22f805664686ffffef5f927bb98df4df685ef472b162ae3fIPv4 (1)
64.225.32.24Notes
<div><b>CONCLUSIONS</b></div><div>Organizations can significantly reduce their vulnerability to phishing attacks by implementing these remediation strategies. However, it's crucial to understand that the threat landscape is constantly evolving, and ongoing vigilance, adaptation, and education are key to maintaining robust cybersecurity defenses.</div><div><br></div>
Mitigation
<span id="docs-internal-guid-50d3bc8e-7fff-1ac8-c6a7-fdc3c733ac4e"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">MITIGATIONS</span></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">ATT&CK IDS:</span></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">T1574 - Hijack Execution Flow, T1003 - OS Credential Dumping, T1566 - Phishing, T1204 - User Execution, T1102 - Web Service, T1059 - Command and Scripting Interpreter, T1056 - Input Capture</span></p><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">T1574 - Hijack Execution Flow</span></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution.</span></p><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">There are many ways an adversary may hijack the flow of execution, including by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs/resources, such as file directories and in the case of Windows the Registry, could also be poisoned to include malicious payloads.</span></p><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">T1003 - OS Credential Dumping</span></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.</span></p><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Several of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.</span></p><br><div style="margin-left:0pt;" align="left"><table style="border:none;border-collapse:collapse;"><colgroup><col><col></colgroup><tbody><tr style="height:42.25pt;"><td style="border-right: 0.75pt solid rgb(223, 223, 223); border-bottom: 0.75pt solid rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1003/001/"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">T1003.001</span></a></p></td><td style="border-left: 0.75pt solid rgb(223, 223, 223); border-bottom: 0.75pt solid rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1003/001/"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">LSASS Memory</span></a></p></td></tr><tr style="height:42.25pt;"><td style="border-right: 0.75pt solid rgb(223, 223, 223); border-bottom: 0.75pt solid rgb(223, 223, 223); border-top: 0.75pt solid rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1003/002/"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">T1003.002</span></a></p></td><td style="border-left: 0.75pt solid rgb(223, 223, 223); border-bottom: 0.75pt solid rgb(223, 223, 223); border-top: 0.75pt solid rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1003/002/"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Security Account Manager</span></a></p></td></tr><tr style="height:42.25pt;"><td style="border-right: 0.75pt solid rgb(223, 223, 223); border-bottom: 0.75pt solid rgb(223, 223, 223); border-top: 0.75pt solid rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1003/003/"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">T1003.003</span></a></p></td><td style="border-left: 0.75pt solid rgb(223, 223, 223); border-bottom: 0.75pt solid rgb(223, 223, 223); border-top: 0.75pt solid rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1003/003/"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">NTDS</span></a></p></td></tr><tr style="height:42.25pt;"><td style="border-right: 0.75pt solid rgb(223, 223, 223); border-bottom: 0.75pt solid rgb(223, 223, 223); border-top: 0.75pt solid rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1003/004/"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">T1003.004</span></a></p></td><td style="border-left: 0.75pt solid rgb(223, 223, 223); border-bottom: 0.75pt solid rgb(223, 223, 223); border-top: 0.75pt solid rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1003/004/"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">LSA Secrets</span></a></p></td></tr><tr style="height:42.25pt;"><td style="border-right: 0.75pt solid rgb(223, 223, 223); border-bottom: 0.75pt solid rgb(223, 223, 223); border-top: 0.75pt solid rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1003/005/"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">T1003.005</span></a></p></td><td style="border-left: 0.75pt solid rgb(223, 223, 223); border-bottom: 0.75pt solid rgb(223, 223, 223); border-top: 0.75pt solid rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1003/005/"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Cached Domain Credentials</span></a></p></td></tr><tr style="height:42.25pt;"><td style="border-right: 0.75pt solid rgb(223, 223, 223); border-bottom: 0.75pt solid rgb(223, 223, 223); border-top: 0.75pt solid rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1003/006/"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">T1003.006</span></a></p></td><td style="border-left: 0.75pt solid rgb(223, 223, 223); border-bottom: 0.75pt solid rgb(223, 223, 223); border-top: 0.75pt solid rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1003/006/"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">DCSync</span></a></p></td></tr><tr style="height:42.25pt;"><td style="border-right: 0.75pt solid rgb(223, 223, 223); border-bottom: 0.75pt solid rgb(223, 223, 223); border-top: 0.75pt solid rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1003/007/"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">T1003.007</span></a></p></td><td style="border-left: 0.75pt solid rgb(223, 223, 223); border-bottom: 0.75pt solid rgb(223, 223, 223); border-top: 0.75pt solid rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1003/007/"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Proc Filesystem</span></a></p></td></tr><tr style="height:42.25pt;"><td style="border-right: 0.75pt solid rgb(223, 223, 223); border-top: 0.75pt solid rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1003/008/"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">T1003.008</span></a></p></td><td style="border-left: 0.75pt solid rgb(223, 223, 223); border-top: 0.75pt solid rgb(223, 223, 223); vertical-align: top; padding: 5pt; overflow: hidden; overflow-wrap: break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1003/008/"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">/etc/passwd and /etc/shadow</span></a></p></td></tr></tbody></table></div><br><br><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">T1566 - Phishing</span></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.</span></p><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source, as well as evasive techniques such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., Email Hiding Rules). Another way to accomplish this is by forging or spoofing the identity of the sender which can be used to fool both the human recipient as well as automated security tools.</span></p><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Victims may also receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware,or install adversary-accessible remote management tools onto their computer (i.e., User Execution).</span></p><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">T1204 - User Execution</span></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of Phishing.</span></p><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">While User Execution frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after Internal Spearphishing.</span></p><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Adversaries may also deceive users into performing actions such as enabling Remote Access Software, allowing direct control of the system to the adversary, or downloading and executing malware for User Execution. For example, tech support scams can be facilitated through Phishing, vishing, or various forms of user interaction. Adversaries can use a combination of these methods, such as spoofing and promoting toll-free numbers or call centers that are used to direct victims to malicious websites, to deliver and execute payloads containing malware or Remote Access Software.</span></p><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">T1102-Web Service</span></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.</span></p><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Use of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).</span></p><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">T1059-Command and Scripting Interpreter</span></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell.</span></p><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">There are also cross-platform interpreters such as Python, as well as those commonly associated with client applications such as JavaScript and Visual Basic.</span></p><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in Initial Access payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells, as well as utilize various Remote Services in order to achieve remote Execution.</span></p><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">T1056-Input Capture</span></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture).</span></p><br><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">There are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one.You can find more information about phishing attacks on SOCRadar blog page. </span><a href="https://socradar.io/how-to-detect-phishing-attacks/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(17, 85, 204); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; text-decoration-line: underline; vertical-align: baseline;">How to Detect Phishing Attacks?</span></a></p><div><br></div></span>