Web Service, Technique T1102 - Enterprise (original) (raw)
APT32 has used Dropbox, Amazon S3, and Google Drive to host malicious downloads.[2]
APT41 DUST used compromised Google Workspace accounts for command and control.[3]
APT42 has used various links, such as links with typo-squatted domains, links to Dropbox files and links to fake Google sites, in spearphishing operations.[4][5][6]
AshTag can download malicious payloads from file sharing services.[7]
BADHATCH can be utilized to abuse sslip.io, a free IP to domain mapping service, as part of actor-controlled C2 channels.[8]
Bazar downloads have been hosted on Google Docs.[9][10]
BoomBox can download files from Dropbox using a hardcoded access token.[11]
BRICKSTORM has leveraged DNS web services to resolve C2 IP addresses including sslip.io and nip.io.[12] BRICKSTORM has also utilized Cloudflare Workers for C2 communications.[12]
Brute Ratel C4 can use legitimate websites for external C2 channels including Slack, Discord, and MS Teams.[13]
Bumblebee has been downloaded to victim's machines from OneDrive.[14]
During C0017, APT41 used the Cloudflare services for C2 communications.[15]
During C0027, Scattered Spider downloaded tools from sites including file.io, GitHub, and paste.ee.[16]
Carbon can use Pastebin to receive C2 commands.[17]
CharmPower can download additional modules from actor-controlled Amazon S3 buckets.[18]
CHIMNEYSWEEP has the ability to use use Telegram channels to return a list of commands to be executed, to download additional payloads, or to create a reverse shell.[19]
DarkTortilla can retrieve its primary payload from public sites such as Pastebin and Textbin.[20]
Doki has used the dogechain.info API to generate a C2 address.[21]
DropBook can communicate with its operators by exploiting the Simplenote, DropBox, and the social media platform, Facebook, where it can create fake accounts to control the backdoor and receive instructions.[22][23]
EXOTIC LILY has used file-sharing services including WeTransfer, TransferNow, and OneDrive to deliver payloads.[24]
FIN6 has used Pastebin and Google Storage to host content for their operations.[25]
FIN8 has used sslip.io, a free IP to domain mapping service that also makes SSL certificate generation easier for traffic encryption, as part of their command and control.[26]
Fox Kitten has used Amazon Web Services to host C2.[27]
Gamaredon Group has used GitHub repositories for downloaders which will be obtained by the group's .NET executable on the compromised system.[28]
GuLoader has the ability to download malware from Google Drive.[29]
Hildegard has downloaded scripts from GitHub.[30]
Inception has incorporated at least five different cloud service providers into their C2 infrastructure including CloudMe.[31][32]
Latrodectus has used Google Firebase to download malicious installation scripts.[33]
LazyScripter has used GitHub to host its payloads to operate spam campaigns.[34]
MOPSLED can use third-party web services such as GitHub and Google Drive for C2.[35]
Mustang Panda has used DropBox URLs to deliver variants of PlugX.[36] Mustang Panda has also used Google Drive to host malicious downloads.[37]
NETWIRE has used web services including Paste.ee to host payloads.[38]
ngrok has been used by threat actors to proxy C2 connections to ngrok service subdomains.[39]
Nightdoor can utilize Microsoft OneDrive or Google Drive for command and control purposes.[40][41]
During Operation Spalax, the threat actors used OneDrive and MediaFire to host payloads.[42]
PureCrypter can use Telegram or Discord to send infection status messages.[43]
Raspberry Robin second stage payloads can be hosted as RAR files, containing a malicious EXE and DLL, on Discord servers.[44]
RedCurl has used web services to download malicious files.[45][46]
RedLine Stealer has leveraged legitimate file sharing web services to host malicious payloads.[47][48]
Rocke has used Pastebin, Gitee, and GitLab for Command and Control.[49][50]
SharpStage has used a legitimate web service for evading detection.[22]
ShrinkLocker uses a subdomain on the legitimate Cloudflare resource "trycloudflare[.]com" to obfuscate the threat actor's actual address and to tunnel information sent from victim systems.[51]
Sibot has used a legitimate compromised website to download DLLs to the victim's machine.[52]
SMOKEDHAM has used Google Drive and Dropbox to host files downloaded by victims via malicious links.[53]
Snip3 can download additional payloads from web services including Pastebin and top4top.[54]
SocGholish has used Amazon Web Services to host second-stage servers.[55]
TeamTNT has leveraged iplogger.org to send collected data back to C2.[56][57]
Turla has used legitimate web services including Pastebin, Dropbox, and GitHub for C2 communications.[17][58]
VOID MANTICORE has utilized Telegram API for C2.[59][60]
WhisperGate can download additional payloads hosted on a Discord channel.[61][62][63][64][65]