ADAPT it! Automating APT Campaign and Group Attribution by Leveraging and Linking Heterogeneous Files
Pages 114 - 129
Abstract
Recent years have witnessed a surge in the growth of Advanced Persistent Threats (APTs), with significant challenges to the security landscape, affecting industry, governance, and democracy. The ever-growing number of actors and the complexity of their campaigns have made it difficult for defenders to track and attribute these malicious activities effectively. Traditionally, researchers relied on threat intelligence to track APTs. However, this often led to fragmented information, delays in connecting campaigns with specific threat groups, and misattribution.
In response to these challenges, we introduce ADAPT, a machine learning-based approach for automatically attributing APTs at two levels: (1) the threat campaign level, to identify samples with similar objectives and (2) the threat group level, to identify samples operated by the same entity. ADAPT supports a variety of heterogeneous file types targeting different platforms, including executables and documents, and uses linking features to find connections between them. We evaluate ADAPT on a reference dataset from MITRE as well as a comprehensive, label-standardized dataset of 6,134 APT samples belonging to 92 threat groups. Using real-world case studies, we demonstrate that ADAPT effectively identifies clusters representing threat campaigns and associates them with their respective groups.
References
[1]
[1] Hojjat Aghakhani, Fabio Gritti, Francesco Mecca, Martina Lindorfer, Stefano Ortolani, Davide Balzarotti, Giovanni Vigna, and Christopher Kruegel. 2020. When Malware is Packing Heat; Limits of Machine Learning Classifiers based on Static Analysis Features. In Proc. of the 27th Network and Distributed System Security Symposium (NDSS).
[2]
[2] Mansour Ahmadi, Dmitry Ulyanov, Stanislav Semenov, Mikhail Trofimov, and Giorgio Giacinto. 2016. Novel Feature Extraction, Selection and Fusion for Effective Malware Family Classification. In Proc. of the 6th ACM Conference on Data and Application Security and Privacy (CODASPY).
[3]
[3] Olusola Akinrolabu, Ioannis Agrafiotis, and Arnau Erola. 2018. The Challenge of Detecting Sophisticated Attacks: Insights from SOC Analysts. In Proc. of the 13th International Conference on Availability, Reliability and Security (ARES).
[4]
[4] AlienVault. 2022. Open Threat Exchange. https://otx.alienvault.com/.
[5]
[5] Saed Alrabaee, Paria Shirani, Mourad Debbabi, and LingyuWang. 2016. On the Feasibility of Malware Authorship Attribution. In Proc. of the 9th International Symposium on Foundations and Practice of Security (FPS).
[6]
[6] Hyrum S. Anderson and Phil Roth. 2018. EMBER: An Open Dataset for Training Static PE Malware Machine Learning Models. (2018). arXiv: 180 4.04637 [cs.CR].
[7]
[7] Md Monowar Anjum, Shahrear Iqbal, and Benoit Hamelin. 2022. ANUBIS: A Provenance Graph-Based Framework for Advanced Persistent Threat Detection. In Proc. of the 37th ACM/SIGAPP Symposium on Applied Computing (SAC).
[8]
[8] Daniel Arp, Erwin Quiring, Feargus Pendlebury, Alexander Warnecke, Fabio Pierazzi, Christian Wressnegger, Lorenzo Cavallaro, and Konrad Rieck. 2022. Dos and Don’t of Machine Learning in Computer Security. In Proc. of the 31st USENIX Security Symposium (USENIX Security).
[9]
[9] Michael Barnhart, Austin Larsen, Jeff Johnson, Taylor Long, Michelle Cantos, and Adrian Hernandez. 2023. Assessed Cyber Structure and Alignments of North Korea in 2023. (Oct. 10, 2023). https://www.mandiant.com/resources/bl og/north-korea-cyber-structure-alignment-2023.
[10]
[10] Brian Bartholomew and Juan Andres Guerrero-Saade. 2016. Wave Your False Flags! Deception Tactics Muddying Attribution in Targeted Attacks. In Virus Bulletin Conference.
[11]
[11] Ulrich Bayer, Paolo Milani Comparetti, Clemens Hlauschek, Christopher Kruegel, and Engin Kirda. 2009. Scalable, Behavior-based Malware Clustering. In Proc. of the 16th Network and Distributed System Security Symposium (NDSS).
[12]
[12] Blockchain.com. 2016. Bitcoin Address. https://www.blockchain.com/explore r/addresses/btc/1QLDYEyeo8c6CFHdcEB5yBjQw6pcRiTdN5.
[13]
[13] Marcus Botacin, Hojjat Aghakhani, Stefano Ortolani, Christopher Kruegel, Giovanni Vigna, Daniela Oliveira, Paulo Lício De Geus, and André Grégio. 2021. One Size Does Not Fit All: A Longitudinal Analysis of Brazilian Financial Malware. ACM Transactions on Privacy and Security (TOPS), 24, 2.
[14]
[14] Guillaume Brogi and Valerie Viet Triem Tong. 2016. TerminAPTor: Highlighting Advanced Persistent Threats through Information Flow Tracking. In Proc. of the 8th IFIP International Conference on New Technologies, Mobility and Security (NTMS).
[15]
[15] Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, and JohnWolfram. 2022. Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. (Mar. 8, 2022). https://www.mandiant.com/resources/blog/apt4 1-us-state-governments.
[16]
[16] Aylin Caliskan-Islam, Richard Harang, Andrew Liu, Arvind Narayanan, Clare Voss, Fabian Yamaguchi, and Rachel Greenstadt. 2015. De-anonymizing Programmers via Code Stylometry. In Proc. of the 24th USENIX Security Symposium (USENIX Security).
[17]
[17] Microsoft Security Response Center. 2020. Tracking the Cross-Domain Solorigate Attack from Endpoint to the Cloud. (Dec. 28, 2020). https://www.micros oft.com/en-us/security/blog/2020/12/28/using-microsoft-365-defender-tocoordinate- protection-against-solorigate/.
[18]
[18] Tencent Security Threat Intelligence Center. 2019. Cyber Warfare in the Shadow of the India-Pakistan War - A Summary of Recent Indo-Pakistani APT Attack Activities. (Sept. 9, 2019). https://mp.weixin.qq.com/s/pJ-rnzB7 VMZ0feM2X0ZrHA.
[19]
[19] CISA. 2021. AppleJeus: JMT Trading. (Apr. 15, 2021). https://www.cisa.gov/ne ws-events/cybersecurity-advisories/aa21-048a.
[20]
[20] Eric Cole. 2012. Advanced Persistent Threat: Understanding the Danger and How to Protect your Organization. Syngress Publishing.
[21]
[21] Emanuele Cozzi, Mariano Graziano, Yanick Fratantonio, and Davide Balzarotti. 2018. Understanding Linux Malware. In Proc. of the 39th IEEE Symposium on Security & Privacy (S&P).
[22]
[22] cyber-research. 2019. APT Malware Dataset. (July 16, 2019). https://github.co m/cyber-research/APTMalware.
[23]
[23] Cyble. 2020. Sidewinder APT Targets with Futuristic Tactics and Techniques. (Sept. 26, 2020). https://blog.cyble.com/2020/09/26/sidewinder-apt-targets-wi th-futuristic-tactics-and-techniques/.
[24]
[24] Cyware. 2020. DoNot Team APT Updates its Malware Arsenal. (Aug. 12, 2020). https://cyware.com/news/donot-team-apt-updates-its-malware-arsenal-a5 a76e92.
[25]
[25] DOJ. 2021. DPRK Hacking Indictment. (Feb. 17, 2021). https://www.justice.go v/d9/press-releases/attachments/2021/02/17/dprk_hacking_-_indictment_1 _0.pdf.
[26]
[26] Zakir Durumeric, David Adrian, Ariana Mirian, Michael Bailey, and J. Alex Halderman. 2015. A Search Engine Backed by Internet-Wide Scanning. In Proc. of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS).
[27]
[27] Hugging Face. 2022. all-MiniLM-L12-v2. https://huggingface.co/sentence-tra nsformers/all-MiniLM-L12-v2.
[28]
[28] Hugging Face. 2022. Multi-qa-mpnet-base-dot-v1. https://huggingface.co/sen tence-transformers/multi-qa-mpnet-base-dot-v1.
[29]
[29] FBI. 2018. APT 10 Group. (Dec. 17, 2018). https://www.fbi.gov/wanted/cyber /apt-10-group.
[30]
[30] FBI. 2020. APT 41 Group. (Aug. 11, 2020). https://www.fbi.gov/wanted/cyber /apt-41-group.
[31]
[31] Ibrahim Ghafir, Mohammad Hammoudeh, Vaclav Prenosil, Liangxiu Han, Robert Hegarty, Khaled Rabie, and Francisco J Aparicio-Navarro. 2018. Detection of Advanced Persistent Threat using Machine-Learning Correlation Analysis. Future Generation Computer Systems, 89.
[32]
[32] Jason Gray, Daniele Sgandurra, Lorenzo Cavallaro, and Jorge Blasco. 2024. Identifying Authorship in Malicious Binaries: Features, Challenges & Datasets. ACM Computing Surveys (CSUR), 56, 8.
[33]
[33] Weijie Han, Jingfeng Xue, YongWang, Fuquan Zhang, and Xianwei Gao. 2021. APTMalInsight: Identify and Cognize APT Malware Based on System Call Information and Ontology Knowledge Framework. Information Sciences, 546.
[34]
[34] Xueyuan Han, Thomas Pasquier, Adam Bates, James Mickens, and Margo Seltzer. 2020. UNICORN: Runtime Provenance-Based Detector for Advanced Persistent Threats. In Proc. of the 27th Network and Distributed System Security Symposium (NDSS).
[35]
[35] Irfan Ul Haq, Sergio Chica, Juan Caballero, and Somesh Jha. 2018. Malware Lineage in the Wild. Computers & Security, 78.
[36]
[36] Hawkeye. 2022. The Evolution of Sidewinder APT and their Modus Operandi. (Dec. 9, 2022). https://www.hawk-eye.io/2022/12/the-evolution-of-sidewinde r-apt-and-their-modus-operandi/.
[37]
[37] Md Nahid Hossain, Sanaz Sheikhi, and R. Sekar. 2020. Combating Dependence Explosion in Forensic Analysis using Alternative Tag Propagation Semantics. In Proc. of the 41st IEEE Symposium on Security & Privacy (S&P).
[38]
[38] The White House. 2021. Fact Sheet: Imposing Costs for Harmful Foreign Activities by the Russian Government. (Apr. 15, 2021). https://www.whitehou se.gov/briefing-room/statements-releases/2021/04/15/fact-sheet-imposingcosts- for-harmful-foreign-activities-by-the-russian-government/.
[39]
[39] Zheng Hu, Jiaojiao Zhang, and Yun Ge. 2021. Handling Vanishing Gradient Problem using Artificial Derivative. IEEE Access, 9.
[40]
[40] Anil K Jain, M Narasimha Murty, and Patrick J Flynn. 1999. Data Clustering: A Review. ACM Computing Surveys (CSUR), 31, 3.
[41]
[41] Jiyong Jang, Maverick Woo, and David Brumley. 2013. Towards Automatic Software Lineage Inference. In Proc. of the 22nd USENIX Security Symposium (USENIX Security).
[42]
[42] Zian Jia, Yun Xiong, Yuhong Nan, Yao Zhang, Jinjing Zhao, and Mi Wen. 2023. MAGIC: Detecting Advanced Persistent Threats via Masked Graph Representation Learning. In Proc. of the 32nd USENIX Security Symposium (USENIX Security).
[43]
[43] Vaibhavi Kalgutkar, Natalia Stakhanova, Paul Cook, and Alina Matyukhina. 2018. Android Authorship Attribution through String Analysis. In Proc. of the 13th International Conference on Availability, Reliability and Security (ARES).
[44]
[44] Anthony Kasza and Dominik Reiche. 2017. The Gamaredon Group Toolset Evolution. (Feb. 27, 2017). https://unit42.paloaltonetworks.com/unit-42-titlegamaredon- group-toolset-evolution/.
[45]
[45] Sangwoo Kim, Seokmyung Hong, Jaesang Oh, and Heejo Lee. 2018. Obfuscated VBA Macro Detection using Machine Learning. In Proc. of the 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).
[46]
[46] Alien Labs. 2021. A Global Perspective of the SideWinder APT. (Jan. 13, 2021). https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewind er-apt.pdf.
[47]
[47] Philippe Lagadec. 2022. Oletools - Python Tools to Analyze OLE and MS Office Files (version 0.60.1). (May 9, 2022). https://github.com/decalage2/oletools.
[48]
[48] Giuseppe Laurenza and Riccardo Lazzeretti. 2019. dAPTaset: A Comprehensive Mapping of APT-Related Data. In Proc. of the International Workshop on Security for Financial Critical Infrastructures and Services (FINSEC).
[49]
[49] Robert Layton and Ahmad Azab. 2014. Authorship Analysis of the Zeus Botnet Source Code. In Proc. of the 5th Cybercrime and Trustworthy Computing Conference (CTC).
[50]
[50] Clement Lecigne and Maddie Stone. 2023. Active North Korean Campaign Targeting Security Researchers. (Sept. 7, 2023). https://blog.google/threat-anal ysis-group/active-north-korean-campaign-targeting-security-researchers/.
[51]
[51] Shaofei Li, Feng Dong, Xusheng Xiao, Haoyu Wang, Fei Shao, Jiedong Chen, Yao Guo, Xiangqun Chen, and Ding Li. 2024. NODLINK: An Online System for Fine-Grained APT Attack Detection and Investigation. In Proc. of the 31st Network and Distributed System Security Symposium (NDSS).
[52]
[52] Martina Lindorfer, Alessandro Di Federico, Federico Maggi, Paolo Milani Comparetti, and Stefano Zanero. 2012. Lines of Malicious Code: Insights Into the Malicious Software Industry. In Proc. of the 28th Annual Computer Security Applications Conference (ACSAC).
[53]
[53] Martina Lindorfer, Clemens Kolbitsch, and Paolo Milani Comparetti. 2011. Detecting Environment-Sensitive Malware. In Proc. of the 14th International Symposium on Recent Advances in Intrusion Detection (RAID).
[54]
[54] Martina Lindorfer, Bernhard Miller, Matthias Neugschwandtner, and Christian Platzer. 2013. Take a Bite - Finding the Worm in the Apple. In Proc. of the 9th International Conference on Information, Communications and Signal Processing (ICICS).
[55]
[55] Moustafa Mahmoud, Mohammad Mannan, and Amr Youssef. 2022. APTHunter: Detecting Advanced Persistent Threats in Early Stages. Digital Threats: Research and Practice, 4.
[56]
[56] Malcat. 2024. Binary Analysis Software (version 0.8.3). https://malcat.fr/.
[57]
[57] Malpedia. 2024. Lazarus Group. (Mar. 2024). https://malpedia.caad.fkie.fraun hofer.de/actor/lazarus_group.
[58]
[58] Mandiant. 2021. APT1: Exposing One of China’s Cyber Espionage Units. (Dec. 30, 2021). https://www.mandiant.com/resources/apt1-exposing-one-ofchinas- cyber-espionage-units.
[59]
[59] Mandiant. 2022. Advanced Persistent Threats (APTs). https://www.mandiant.com/resources/insights/apt-groups. (2022).
[60]
[60] Mandiant. 2022. APT42: Crooked Charms, Cons and Compromises. (Aug. 12, 2022). https://www.mandiant.com/media/17826.
[61]
[61] Mandiant. 2022. Supply Chain Analysis: From Quartermaster to Sunshop. (Jan. 20, 2022). https://www.mandiant.com/resources/supply-chain-analysisfrom- quartermaster-to-sunshop.
[62]
[62] Mandiant. 2023. FLOSS - FLARE Obfuscated String Solver (v2.2.0). (Dec. 12, 2023). https://github.com/mandiant/flare-floss.
[63]
[63] Mandiant. 2024. Uncategorized (UNC) Threat Groups. (Mar. 2024). https://ww w.mandiant.com/resources/insights/uncategorized-unc-threat-groups.
[64]
[64] Alessandro Mantovani, Simone Aonzo, Xabier Ugarte-Pedrero, Alessio Merlo, and Davide Balzarotti. 2020. Prevalence and Impact of Low-Entropy Packing Schemes in the Malware Ecosystem. In Proc. of the 27th Network and Distributed System Security Symposium (NDSS).
[65]
[65] Morgan Marquis-Boire, Marion Marschalek, and Claudio Guarnieri. 2015. Big Game Hunting: The Peculiarities in Nation-State Malware Research. In BlackHat USA.
[66]
[66] Francesco Meloni, Alessandro Sanna, Davide Maiorca, and Giorgio Giacinto. 2022. Effective Call Graph Fingerprinting for the Analysis and Classification of Windows Malware. In Proc. of the 19th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA).
[67]
[67] Microsoft. 2023. Manage Exclusions for Microsoft Defender. (July 8, 2023). https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoi nt/defender-endpoint-antivirus-exclusions.
[68]
[68] Mamoru Mimura and Taro Ohminami. 2019. Towards Efficient Detection of Malicious VBA Macros with LSI. In Proc. of the 14th International Workshop on Security (IWSEC).
[69]
[69] Omid Mirzaei, Roman Vasilenko, Engin Kirda, Long Lu, and Amin Kharraz. 2021. Scrutinizer: Detecting Code Reuse in Malware via Decompilation and Machine Learning. In Proc. of the 18th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA).
[70]
[70] MITRE. 2020. Sidewinder. https://attack.mitre.org/groups/G0121/.
[71]
[71] MITRE. 2021. Transparent Tribe. https://attack.mitre.org/groups/G0134/.
[72]
[72] MITRE. 2022. MITRE Campaigns. https://attack.mitre.org/campaigns/.
[73]
[73] MITRE. 2023. MITRE Groups. https://attack.mitre.org/groups/.
[74]
[74] NCSC. 2020. Advisory: APT29 Targets COVID-19 Vaccine Development. (July 16, 2020). https://media.defense.gov/2020/Jul/16/2002457639/- 1/- 1/0/NCSC_APT29_ADVISORY-QUAD-OFFICIAL-20200709-1810.PDF.
[75]
[75] NIST. 2017. CVE-2017-11882. (Nov. 14, 2017). https://nvd.nist.gov/vuln/detail /CVE-2017-11882.
[76]
[76] NIST. 2024. Advanced Persistent Threats. https://csrc.nist.gov/topics/security -and-privacy/risk-management/threats/advanced-persistent-threats.
[77]
[77] NIST. 2024. Threat Actor. https://csrc.nist.gov/glossary/term/threat_actor.
[78]
[78] NIST. 2024. Threat Scenario. https://csrc.nist.gov/glossary/term/threat_scena rio.
[79]
[79] Fabian Pedregosa, Gaël Varoquaux, Alexandre Gramfort, Vincent Michel, Bertrand Thirion, Olivier Grisel, Mathieu Blondel, Peter Prettenhofer, Ron Weiss, Vincent Dubourg, Jake Vanderplas, Alexandre Passos, David Cournapeau, Matthieu Brucher, Matthieu Perrot, andÉdouard Duchesnay. 2011. Scikit-learn: Machine Learning in Python. Journal of Machine Learning Research, 12.
[80]
[80] Roberto Perdisci, Wenke Lee, and Nick Feamster. 2010. Behavioral Clustering of Http-Based Malware and Signature Generation using Malicious Network Traces. In Proc. of the 7th USENIX Conference on Networked Systems Design and Implementation (NSDI).
[81]
[81] Avi Pfeffer, Catherine Call, John Chamberlain, Lee Kellogg, Jacob Ouellette, Terry Patten, Greg Zacharias, Arun Lakhotia, Suresh Golconda, John Bay, Robert Hall, and Daniel Scofield. 2012. Malware Analysis and Attribution using Genetic Information. In Proc. of the 7th International Conference on Malicious and Unwanted Software (MALWARE).
[82]
[82] PyPi. 2022. Python Magic. (June 7, 2022). https://pypi.org/project/python-ma gic/.
[83]
[83] Nils Reimers and Iryna Gurevych. 2019. Sentence-BERT: Sentence Embeddings using Siamese BERT-Networks. In Proc. of the 9th International Joint Conference on Natural Language Processing (IJCNLP).
[84]
[84] Yitong Ren, Yanjun Xiao, Yinghai Zhou, Zhiyong Zhang, and Zhihong Tian. 2022. CSKG4APT: A Cybersecurity Knowledge Graph for Advanced Persistent Threat Organization Attribution. IEEE Transactions on Knowledge and Data Engineering, 35.
[85]
[85] Reuters. 2021. SolarWinds Hack was Largest and Most Sophisticated Attack Ever: Microsoft President. (Feb. 15, 2021). https://www.reuters.com/article/us -cyber-solarwinds-microsoft-idUSKBN2AF03R.
[86]
[86] Rewterz. 2024. Rewterz Threat Alert– SideWinder APT Group aka Rattlesnake – Active IOCs. (Mar. 8, 2024). https://www.rewterz.com/rewterz-news/rewter z-threat-alert-sidewinder-apt-group-aka-rattlesnake-active-iocs-2/.
[87]
[87] Konrad Rieck, Thorsten Holz, Carsten Willems, Patrick Düssel, and Pavel Laskov. 2008. Learning and Classification of Malware Behavior. In Proc. of the 5th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA).
[88]
[88] Md Omar Faruk Rokon, Risul Islam, Ahmad Darki, Evangelos E Papalexakis, and Michalis Faloutsos. 2020. SourceFinder: Finding Malware Source-Code from Publicly Available Repositories in GitHub. In Proc. of the 23rd International Symposium on Research in Attacks, Intrusions and Defenses (RAID).
[89]
[89] Ishai Rosenberg, Guillaume Sicard, and Eli Omid David. 2017. DeepAPT: Nation-State APT Attribution Using End-to-End Deep Neural Networks. In Proc. of the 26th International Conference on Artificial Neural Networks (ICANN).
[90]
[90] Nathan Rosenblum, Xiaojin Zhu, and Barton P Miller. 2011. Who Wrote this Code? Identifying the Authors of Program Binaries. In Proc. of the 16th European Symposium on Research in Computer Security (ESORICS).
[91]
[91] Florian Roth. 2018-03-25. The Newcomer’s Guide to Cyber Threat Actor Naming. https://cyb3rops.medium.com/the-newcomers-guide-to-cyber-thr eat-actor-naming-7428e18ee263.
[92]
[92] Vinay Sachidananda, Rajendra Patil, Akshay Sachdeva, Kwok-Yan Lam, and Liu Yang. 2023. APTer: Towards the Investigation of APT Attribution. In Proc. of the 6th IEEE Conference on Dependable and Secure Computing (DSC).
[93]
[93] Aakanksha Saha, Jorge Blasco, and Martina Lindorfer. 2024. Exploring the Malicious Document Threat Landscape: Towards a Systematic Approach to Detection and Analysis. In Proc. of the 3rd Workshop on Rethinking Malware Analysis (WoRMA).
[94]
[94] scikit-learn. 2024. Hierarchical Clustering. https://scikit-learn.org/stable/mod ules/clustering.html#hierarchical-clustering.
[95]
[95] scikit-learn. 2024. Silhouette Score. https://scikit-learn.org/stable/modules/ge nerated/sklearn.metrics.silhouette_score.html.
[96]
[96] Elastic Security. 2024. Elastic Security Detection Content for Endpoint. https: //github.com/elastic/protections-artifacts.
[97]
[97] Microsoft Security. 2023. Microsoft Shifts to a New Threat Actor Naming Taxonomy. (Apr. 2023). https://www.microsoft.com/en-us/security/blog/2023 /04/18/microsoft-shifts-to-a-new-threat-actor-naming-taxonomy/.
[98]
[98] Krzysztof Siwek and Stanislaw Osowski. 2017. Autoencoder versus PCA in Face Recognition. In Proc. of the 18th International Conference on Computational Problems of Electrical Engineering (CPEE).
[99]
[99] NedimŠrndić and Pavel Laskov. 2016. Hidost: A Static Machine-Learning- Based Detector of Malicious Files. EURASIP Journal on Information Security.
[100]
[100] Ting Su and Jennifer Dy. 2004. A Deterministic Method for Initializing Kmeans Clustering. In Proc. of the 16th IEEE International Conference on Tools with Artificial Intelligence (ICTAI).
[101]
[101] Vanja Svajcer and Vitor Ventura. 2022. What’s with the shared VBA code between Transparent Tribe and other threat actors? (Feb. 9, 2022). https://blo g.talosintelligence.com/2022/02/whats-with-shared-vba-code.html.
[102]
[102] Romain Thomas. 2024. LIEF - Library to Instrument Executable Formats (version 0.13.1). (Feb. 11, 2024). https://lief.quarkslab.com/.
[103]
[103] Threatpost. 2020. SideWinder APT Targets Nepal, Afghanistan in Wide- Ranging Spy Campaign. (Dec. 9, 2020). https://threatpost.com/sidewind er-apt-nepal-afghanistan-spy-campaign/162086/.
[104]
[104] Shusei Tomonaga. 2018. Malware“WellMess” Targeting Linux and Windows. (July 6, 2018). https://blogs.jpcert.or.jp/en/2018/07/malware-wellmes-9b78.ht ml.
[105]
[105] Trellix. 2022. Trellix Insights: FireEye Red Team Tools Stolen in Cyber Attack. (Aug. 29, 2022). https://kcm.trellix.com/corporate/index?page=content&id =KB93880.
[106]
[106] TrendMicro. 2020. SideWinder Uses South Asian Issues for Spear Phishing, Mobile Attacks. (Dec. 9, 2020). https://www.trendmicro.com/de_de/research/2 0/l/sidewinder-leverages-south-asian-territorial-issues-for-spear-ph.html.
[107]
[107] Unit42. 2022. Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine. (Feb. 3, 2022). https://unit42.paloaltonetworks.com/gamar edon-primitive-bear-ukraine-update-2021/.
[108]
[108] Kelli Vanderlee. 2020. DebUNCing Attribution: How Mandiant Tracks Uncategorized Threat Actors. (Dec. 17, 2020). https://www.mandiant.com/resource s/blog/how-mandiant-tracks-uncategorized-threat-actors.
[109]
[109] VirusTotal. 2023. VirusTotal. https://www.virustotal.com/.
[110]
[110] Qinqin Wang, Hanbing Yan, and Zhihui Han. 2021. Explainable APT Attribution for Malware using NLP Techniques. In Proc. of the 21st International Conference on Software Quality, Reliability and Security (QRS).
[111]
[111] Adam Weidemann. 2021. New Campaign Targeting Security Researchers. (Jan. 25, 2021). https://blog.google/threat-analysis-group/new-campaign-targ eting-security-researchers/.
[112]
[112] Yara Rules Project. 2022. Repository of Yara Rules. https://github.com/Yara- Rules/rules.
[113]
[113] Miuyin YongWong, MatthewLanden, Manos Antonakakis, Douglas M. Blough, Elissa M. Redmiles, and Mustaque Ahamad. 2021. An Inside Look into the Practice of Malware Analysis. In Proc. of the 28th ACM SIGSAC Conference on Computer and Communications Security (CCS).
Index Terms
- ADAPT it! Automating APT Campaign and Group Attribution by Leveraging and Linking Heterogeneous Files
Recommendations
A Survey on malware analysis and mitigation techniques
AbstractIn recent days, malwares are advanced, sophisticatedly engineered to attack the target. Most of such advanced malwares are highly persistent and capable of escaping from the security systems. This paper explores such an advanced ...
Disguised executable files in spear-phishing emails: detecting the point of entry in advanced persistent threat
ICFNDS '18: Proceedings of the 2nd International Conference on Future Networks and Distributed SystemsIn recent years, cyber attacks have caused substantial financial losses and been able to stop fundamental public services. Among the serious attacks, Advanced Persistent Threat (APT) has emerged as a big challenge to the cyber security hitting selected ...
EarlyCrow: Detecting APT Malware Command and Control over HTTP(S) Using Contextual Summaries
Information SecurityAbstractAdvanced Persistent Threats (APTs) are among the most sophisticated threats facing critical organizations worldwide. APTs employ specific tactics, techniques, and procedures (TTPs) which make them difficult to detect in comparison to frequent and ...
Comments
Information & Contributors
Information
Published In
September 2024
719 pages
ISBN:9798400709593
DOI:10.1145/3678890
Copyright © 2024 Owner/Author.
This work is licensed under a Creative Commons Attribution International 4.0 License.
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 30 September 2024
Check for updates
Author Tags
Qualifiers
- Research-article
- Research
- Refereed limited
Funding Sources
- Österreichische Forschungsförderungsgesellschaft
- European Union - Recovery, Transformation and Resilience Plan (Next Generation)
- Vienna Science and Technology Fund
- Google ASPIRE Award
Conference
RAID '24
RAID '24: The 27th International Symposium on Research in Attacks, Intrusions and Defenses
September 30 - October 2, 2024
Padua, Italy
Acceptance Rates
RAID '24 Paper Acceptance Rate 43 of 173 submissions, 25%;
Overall Acceptance Rate 43 of 173 submissions, 25%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 59Total Downloads
- Downloads (Last 12 months)59
- Downloads (Last 6 weeks)59
Reflects downloads up to 16 Oct 2024
Other Metrics
Citations
View Options
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderHTML Format
View this article in HTML Format.
HTML FormatGet Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in