1. Home
  2. ATT&CK Techniques
  3. T1608.001 Upload Malware

T1608.001 Upload Malware Mappings

Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, and a variety of other malicious content. Adversaries may upload malware to support their operations, such as making a payload available to a victim network to enable Ingress Tool Transfer by placing it on an Internet accessible web server.

Malware may be placed on infrastructure that was previously purchased/rented by the adversary (Acquire Infrastructure) or was otherwise compromised by them (Compromise Infrastructure). Malware can also be staged on web services, such as GitHub or Pastebin, or hosted on the InterPlanetary File System (IPFS), where decentralized content storage makes the removal of malicious files difficult.(Citation: Volexity Ocean Lotus November 2020)(Citation: Talos IPFS 2022)

Adversaries may upload backdoored files, such as application binaries, virtual machine images, or container images, to third-party software stores or repositories (ex: GitHub, CNET, AWS Community AMIs, Docker Hub). By chance encounter, victims may directly download/install these backdoored files via User Execution. Masquerading may increase the chance of users mistakenly executing these files.

View in MITRE ATT&CK®

Known Exploited Vulnerabilities Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CVE-2021-44228 Apache Log4j2 Remote Code Execution Vulnerability secondary_impact T1608.001 Upload Malware
Comments
CVE-2021-44228, known as Log4Shell, affects Apache’s Log4j library, an open-source logging framework. An actor can exploit this vulnerability by submitting a specially crafted request to a vulnerable system that causes that system to execute arbitrary code. The request allows a cyber actor to take full control over the system. The actor can then steal information, launch ransomware, or conduct other malicious activity.
References
  1. https://www.microsoft.com/en-us/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/#attacks
  2. https://www.cisa.gov/sites/default/files/publications/CSRB-Report-on-Log4-July-11-2022_508.pdf
  3. https://www.zdnet.com/article/log4j-flaw-attackers-are-making-thousands-of-attempts-to-exploit-this-severe-vulnerability/
  4. https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-117a
CVE-2019-0604 Microsoft SharePoint Remote Code Execution Vulnerability primary_impact T1608.001 Upload Malware
Comments
CVE-2019-0604 is a vulnerability in an XML deserialization component within Microsoft SharePoint allowed remote attackers to typically install webshell malware to vulnerable hosts.
References
  1. https://www.zdnet.com/article/fbi-nation-state-actors-have-breached-two-us-municipalities/
  2. https://ociso.ucla.edu/news/cyber-actors-exploit-sharepoint-vulnerability-gain-access-unprotected-networks
  3. https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a
CVE-2024-20353 Cisco ASA and FTD Denial of Service Vulnerability secondary_impact T1608.001 Upload Malware
Comments
This vulnerability is exploited by a remote, unauthenticated attacker by sending a crafted HTTP request to a vulnerable device's web server. This exploitation is possible due to incomplete error checking when parsing HTTP headers. If successfully exploited, it can cause the device to reload unexpectedly, resulting in a denial of service (DoS) condition. This vulnerability is associated with an attack campaign named ArcaneDoor in early 2024. This campaign targeted this vulnerability among others to implant malware, execute commands, and potentially exfiltrate data from compromised devices.
References
  1. https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/
  2. https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_attacks_event_response
CVE-2024-37085 VMware ESXi Authentication Bypass Vulnerability secondary_impact T1608.001 Upload Malware
Comments
This vulnerability is exploited by an adversary who has already exploited an ESXi system and gained access to a valid account. Using this account, the adversary creates a new AD group named "ESXi Admins" that the ESXi Hypervisor grants full admin privileges. Adversary groups such as Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest have leveraged this vulnerability to deploy ransomware known as Akira and Black Basta onto compromised environments.
References
  1. https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/
CVE-2023-33246 Apache RocketMQ Command Execution Vulnerability secondary_impact T1608.001 Upload Malware
Comments
This vulnerability is exploited by a remote attacker who leverages a command injection flaw in Apache RocketMQ versions 5.1 and lower. By using the update configuration function, the adversary can execute commands as the system user under which RocketMQ is running. This lack of permission verification in components like NameServer, Broker, and Controller, which are exposed on the extranet, allows for remote command execution. Additionally, attackers can forge RocketMQ protocol content to achieve the same effect. Since at least June 2023, threat actors have actively exploited this vulnerability to gain initial access and deploy the DreamBus botnet, a Linux-based malware.
References
  1. https://www.fortiguard.com/outbreak-alert/apache-rocketmq-rce
  2. https://www.fortiguard.com/threat-signal-report/5203/active-exploitation-of-apache-rocketmq-updateconfig-command-execution-vulnerability-cve-2023-33246
  3. https://arcticwolf.com/resources/blog/cve-2023-33246/