Description
Adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.
In addition to downloading free malware from the internet, adversaries may purchase these capabilities from third-party entities. Third-party entities can include technology companies that specialize in malware development, criminal marketplaces (including Malware-as-a-Service, or MaaS), or from individuals. In addition to purchasing malware, adversaries may steal and repurpose malware from third-party entities (including other adversaries).
Platforms
Mitigations (1)
Pre-compromiseM1056
This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.
Threat Groups (18)
| ID | Group | Context |
|---|---|---|
| G1014 | LuminousMoth | [LuminousMoth](https://attack.mitre.org/groups/G1014) has obtained and used malware such as [Cobalt Strike](https://attack.mitre.org/software/S0154).(... |
| G0069 | MuddyWater | [MuddyWater](https://attack.mitre.org/groups/G0069) has used publicly available malware for operations, likely to blend in with other cybercriminals.(... |
| G1018 | TA2541 | [TA2541](https://attack.mitre.org/groups/G1018) has used multiple strains of malware available for purchase on criminal forums or in open-source repos... |
| G0099 | APT-C-36 | [APT-C-36](https://attack.mitre.org/groups/G0099) has utilized well known malware including the Packer-as-a-Service HeartCrypt, PureCrypter, and open-... |
| G1003 | Ember Bear | [Ember Bear](https://attack.mitre.org/groups/G1003) has acquired malware and related tools from dark web forums.(Citation: CISA GRU29155 2024) |
| G1004 | LAPSUS$ | [LAPSUS$](https://attack.mitre.org/groups/G1004) acquired and used the Redline password stealer in their operations.(Citation: MSTIC DEV-0537 Mar 2022... |
| G1055 | VOID MANTICORE | [VOID MANTICORE](https://attack.mitre.org/groups/G1055) has developed or obtained trojanized applications used for persistent surveillance of targeted... |
| G1013 | Metador | [Metador](https://attack.mitre.org/groups/G1013) has used unique malware in their operations, including [metaMain](https://attack.mitre.org/software/S... |
| G0006 | APT1 | [APT1](https://attack.mitre.org/groups/G0006) used publicly available malware for privilege escalation.(Citation: Mandiant APT1) |
| G0143 | Aquatic Panda | [Aquatic Panda](https://attack.mitre.org/groups/G0143) has acquired and used [njRAT](https://attack.mitre.org/software/S0385) in its operations.(Citat... |
| G0140 | LazyScripter | [LazyScripter](https://attack.mitre.org/groups/G0140) has used a variety of open-source remote access Trojans for its operations.(Citation: MalwareByt... |
| G1048 | UNC3886 | [UNC3886](https://attack.mitre.org/groups/G1048) has used the publicly available rootkits [REPTILE](https://attack.mitre.org/software/S1219) and [MEDU... |
| G0138 | Andariel | [Andariel](https://attack.mitre.org/groups/G0138) has used a variety of publicly-available remote access Trojans (RATs) for its operations.(Citation: ... |
| G0092 | TA505 | [TA505](https://attack.mitre.org/groups/G0092) has used malware such as [Azorult](https://attack.mitre.org/software/S0344) and [Cobalt Strike](https:/... |
| G0010 | Turla | [Turla](https://attack.mitre.org/groups/G0010) has used malware obtained after compromising other threat actors, such as [OilRig](https://attack.mitre... |
| G1006 | Earth Lusca | [Earth Lusca](https://attack.mitre.org/groups/G1006) has acquired and used a variety of malware, including [Cobalt Strike](https://attack.mitre.org/so... |
| G0135 | BackdoorDiplomacy | [BackdoorDiplomacy](https://attack.mitre.org/groups/G0135) has obtained and used leaked malware, including DoublePulsar, EternalBlue, EternalRocks, an... |
| G1015 | Scattered Spider | [Scattered Spider](https://attack.mitre.org/groups/G1015) has obtained malware to use at multiple stages of operations including information stealers,... |
References
Frequently Asked Questions
What is T1588.001 (Malware)?
T1588.001 is a MITRE ATT&CK technique named 'Malware'. It belongs to the Resource Development tactic(s). Adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adver...
How can T1588.001 be detected?
Detection of T1588.001 (Malware) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1588.001?
There are 1 documented mitigations for T1588.001. Key mitigations include: Pre-compromise.
Which threat groups use T1588.001?
Known threat groups using T1588.001 include: LuminousMoth, MuddyWater, TA2541, APT-C-36, Ember Bear, LAPSUS$, VOID MANTICORE, Metador.