| | Attack scenario | Description | Key nodes and operation |
| | OceanLotus [37] | Using phishing mails to deliver a malicious payload and a malicious sample and decrypt the sample to load additional data, then releasing the white application file of the adobe reader, and after loading, it connects to C & C sever. | Node:{hat file, %random%.exe, %deceive %.docx, dll files, C2 sever} operation {execute hat file, release malicious files and deceive document, connect C2} |
| | APT28 [38] | Using the macro file to release the trojan file and modify the registry to realize self-starting after booting and then encrypting the collected files and sending them back. | Node {%macro%.xls, %Trojan%.exe, %malicious%.dll, C2 sever} operation {execute macro, decrypt trojan, release malicious dll, connect C2} |
| | Kimsuky [39] | Using process injection to evade the intrusion detection system, then escalating privileges to obtain host information, and finally sending it to C & C sever. | Node {%malicious%.scr, registry, explorer.exe (Process Hollowing), privileges, C & C sever} operation {execute malicious scr, write registry, inject code to process, connect C2} |
| | Unknown attack 1 | Using phishing emails to deliver macro virus samples, which release PE files and perform process hollowing and finally encrypting the collected information and sending it to C & C sever (attack scenario) | Node {%macro%.doc, %PE%.tmp, explorer.exe&snchost.exe (Process Hollowing), C2 sever} Operation {download&execute macro, process hollowing, encrypted information, connect C2} |
| | Unknown attack 2 | Using weak passwords for remote login, then getting higher privileges user information in the host and accessing the registry information, and finally exfiltrating collected information over FTP to remote servers | Node {remote user, root, C2 sever} operation {remote login, login root, encrypted information, connect C2} |
| | Cyber weapons | Using two homologous cyber weapons with no initial intrusion and delivery phases and seeing what happens when logs are incomplete | ā |
|
|
