51. Collection - T1185 Man in the Browser
● Agent Tesla has the ability to use form-grabbing to
extract data from web data forms.
● TrickBot uses web injects and browser redirection to
trick the user into providing their login credentials on a
fake or modified web page.
● Dridex can perform browser attacks via web injects to
steal information such as credentials, certificates, and
cookies.
51
53. .001 Credentials In Files
● TrickBot can obtain passwords stored in files from
several applications such as Outlook, Filezilla, and WinSCP.
● Emotet has been observed leveraging a module that
retrieves passwords stored on a system for the current
logged-on user.
Credential Access - T1552 Unsecured Credentials
53
54. Credential Access - T1552 Unsecured Credentials
.002 Credentials in Registry
● TrickBot has retrieved PuTTY credentials by querying
the SoftwareSimonTathamPuttySessions registry key.
54
55. Top 5 ATT&CK Techniques in Action for 2019
1. T1063: Security Software Discovery
2. T1027: Obfuscated Files or Information
3. T1055: Process Injection
4. T1082: System Information Discovery
5. T1057: Process Discovery
Defense Evasion Dominant in Top MITRE ATT&CK Tactics of 2019
55
59. Sodinokibi
● Ransomware Payments Up 33% As Maze and Sodinokibi Proliferate in Q1 2020
● Changes in REvil ransomware version 2.2
Dridex
● March 2020’s Most Wanted Malware: Dridex Banking Trojan Ranks On Top
Malware List For First Time
Emotet
● Emotet Evolves With New Wi-Fi Spreader
Reference
59
60. Trickbot
● TRICKBOT DELIVERY METHOD GETS A NEW UPGRADE FOCUSING ON
WINDOWS 10
● Trickbot Malspam Leveraging Black Lives Matter as Lure
● TRICKBOT TROJAN LEVERAGING A NEW WINDOWS 10 UAC BYPASS
● TrickBot malware now checks screen resolution to evade analysis
Agent Tesla
● New AgentTesla variant steals WiFi credentials
Reference
60
61. Reference
Top Techniques of 2019
● Defense Evasion Dominant in Top MITRE ATT&CK Tactics of 2019
Report
● Cyber Attack Trends: 2020 Mid-Year Report by Check Point
61
62. Resources
Top 10 Malware Jan to June by CIS
● https://www.cisecurity.org/blog/top-10-malware-january-2020/
● https://www.cisecurity.org/blog/top-10-malware-february-2020/
● https://www.cisecurity.org/blog/top-10-malware-march-2020/
● https://www.cisecurity.org/blog/top-10-malware-april-2020/
● https://www.cisecurity.org/blog/top-10-malware-may-2020/
● https://www.cisecurity.org/blog/top-10-malware-june-2020/
Others
● M-trends 2020 by FireEye
62