T1587.001: Malware

View on MITRE ATT&CK	T1587.001
Tactic(s)	Resource Development
Associated CAPEC Patterns	Targeted Malware (CAPEC-542)

Data from MITRE ATT&CK®:

Adversaries may develop malware and malware components that can be used during targeting. Building malicious software can include the development of payloads, droppers, post-compromise tools, backdoors (including backdoored images), packers, C2 protocols, and the creation of infected removable media. Adversaries may develop malware to support their operations, creating a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: ActiveMalwareEnergy)(Citation: FBI Flash FIN7 USB)

As with legitimate development efforts, different skill sets may be required for developing malware. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's malware development capabilities, provided the adversary plays a role in shaping requirements and maintains a degree of exclusivity to the malware.

Some aspects of malware development, such as C2 protocol development, may require adversaries to obtain additional infrastructure. For example, malware developed that will communicate with Twitter for C2, may require use of Web Services.(Citation: FireEye APT29)

Cyber Threat Graph Context

Explore how this ATT&CK Technique relates to the wider threat graph

Reporting on this Technique

Report

APT40 Advisory - PRC MSS tradecraft in action

This advisory, authored by the Australian Cyber Security Centre and multiple other international cybersecurity agencies, outlines the threat posed ...

View Source

Report

North Korea Cyber Group Conducts Global Espionage Campaign to Advance Regime’s Military and Nuclear Programs

This cybersecurity advisory from the U.S. Federal Bureau of Investigation (FBI) and its partners, highlights the cyber espionage activities of the ...

View Source

Report

Evasive Panda leverages Monlam Festival to target Tibetans

This report by researchers at ESET describes a campaign which they attribute to the China-aligned APT Evasive Panda. The report describes a ...

View Source

Report

Earth Preta Campaign Uses DOPLUGS to Target Asia

This blog post by researchers from Trend Micro describes the use of a customized PlugX backdoor which they name DOPLUGS. The DOPLUGS malware uses ...

View Source

Mitigations for this technique

MITRE ATT&CK Mitigations

Pre-compromise

This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.

How to detect this technique

MITRE ATT&CK Data Components

Malware Metadata (Malware Repository)

Contextual data about a malicious payload, such as compilation times, file hashes, as well as watermarks or other identifiable configuration information

Malware Content (Malware Repository)

Code, strings, and other signatures that compromise a malicious payload

Sigma Detections for this Technique

T1587.001: Malware

Cyber Threat Graph Context

Reporting on this Technique

APT40 Advisory - PRC MSS tradecraft in action

North Korea Cyber Group Conducts Global Espionage Campaign to Advance Regime’s Military and Nuclear Programs

Evasive Panda leverages Monlam Festival to target Tibetans

Earth Preta Campaign Uses DOPLUGS to Target Asia

Mitigations for this technique

Pre-compromise

How to detect this technique

Malware Metadata (Malware Repository)

Malware Content (Malware Repository)

Sigma Detections for this Technique

PsExec/PAExec Escalation to LOCAL SYSTEM

PUA - CsExec Execution

Potential PsExec Remote Execution

Potential Privilege Escalation To LOCAL SYSTEM

ProxyLogon MSExchange OabVirtualDirectory

Uncommon File Created In Office Startup Folder

VHD Image Download Via Browser