Develop Capabilities: Malware

Before compromising a victim, adversaries may develop malware and malware components that can be used during targeting. Building malicious software can include the development of payloads, droppers, post-compromise tools, backdoors, packers, C2 protocols, and the creation of infected removable media. Adversaries may develop malware to support their operations, creating a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.[1][2][3][4]

As with legitimate development efforts, different skill sets may be required for developing malware. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's malware development capabilities, provided the adversary plays a role in shaping requirements and maintains a degree of exclusivity to the malware.[5]

Procedure Examples

Name Description
UNC2452

UNC2452 developed SUNSPOT, SUNBURST, Teardrop, and Raindrop; SUNSPOT was tailored to inject SUNBURST into a the source code of SolarWind's Orion software update and was digitally signed by SolarWinds.

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle.

References

Attachments

ID
VT0007.003
Sub-techniques
Tactic
Resource Development
Platforms
PRE
Version
1.0

Created: 04 March 2021

Last Modified: 04 March 2021