Vol. 9 No. 1 (2024): Proceedings of Botconf 2024
Conference proceedings

A Taxonomic Overview of Prevalent Malware Communication Strategies

PDF
  • Steffen Enders,
  • Daniel Plohmann,
  • Manuel Blatt
Steffen Enders
Fraunhofer FKIE
Daniel Plohmann
Fraunhofer FKIE
Manuel Blatt
Fraunhofer FKIE

Published 2025-02-10

Keywords

  • Malware analysis,
  • C2 communication,
  • Network traffic analysis,
  • Reverse engineering

Copyright (c) 2024 Steffen Enders, Daniel Plohmann, Manuel Blatt (Author)

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

How to Cite

Enders, S., Plohmann, D., & Blatt, M. (2025). A Taxonomic Overview of Prevalent Malware Communication Strategies. The Journal on Cybercrime and Digital Investigations, 9(1), 1-13. https://doi.org/10.18464/cybin.v9i1.53

Download Citation

Abstract

Malware analysis remains a critical task in cybersecurity, particularly given the prevalent use of network capabilities by many malware samples. Despite the need to discuss and understand the use of networking in malware, there is currently no comprehensive taxonomy to classify the various aspects of malware C&C communication. This lack of taxonomy has resulted in the absence of a categorized overview of the communication strategies utilized by prevalent malware.


Furthermore, no structured data set is available that includes representative samples of common malware families along with their respective network traffic captures, which is crucial to develop new malware networking analysis methods or to improve manual analysis skills.

In this paper, we make three main contributions.

First, we propose a taxonomy for malware C&C communication strategies, adapted and expanded from the Trend Micro botnet taxonomy, to ensure that it can be systematically applied to categorize and describe C&C communication methods more broadly.

Second, we provide an organized summary of the current malware C&C  communication landscape, based on the malware families most frequently submitted to MalwareBazaar, to give researchers an overview of common techniques.

Third, we release a data set containing samples of these prevalent malware families together with live network traffic captures to facilitate research and the development of new tools for malware networking analysis.

PDF

References

  1. Trend Micro, “Taxonomy of botnet threats,” 2006.
  2. Stratosphere. (2015) Stratosphere laboratory datasets. [Online]. Available: https://www.stratosphereips.org/datasets-overview
  3. B. Duncan. Malware-Traffic-Analysis.net. MTA. [Online]. Available: https://www.malware-traffic-analysis.net/
  4. D. Plohmann, M. Clauss, S. Enders, and E. Padilla, “Malpedia: a collaborative effort to inventorize the malware landscape,” Proceedings of the Botconf, 2017.
  5. S. Enders, D. Plohmann, and M. Blatt. Malware Communication Dataset. Fraunhofer FKIE. [Online]. Available: https://github.com/fkie-cad/malware_c2_dataset
  6. N. Hachem, Y. B. Mustapha, G. G. Granadillo, and H. Debar, “Botnets: lifecycle and taxonomy,” in 2011 Conference on Network and Information Systems Security. IEEE, 2011, pp. 1–8.
  7. S. Khattak, N. Ramay, K. Khan, A. Syed, and S. A. Khayam, “A taxonomy of botnet behavior, detection, and defense,” Communications Surveys & Tutorials, IEEE, vol. 16, pp. 898–924, 01 2014.
  8. MITRE, “ATT&CK v11,” https://attack.mitre.org/versions/v11/, 2022.
  9. D. Plohmann, E. Gerhards-Padilla, and F. Leder, “Botnets: Detection, measurement, disinfection & defence,” European Network and Information Security Agency (ENISA), vol. 1, no. 1, pp.1–153, 2011.
  10. E. Cooke, F. Jahanian, and D. McPherson, “The zombie roundup: Understanding, detecting, and disrupting botnets.” SRUTI, vol. 5, pp. 6–6, 2005.
  11. D. Andriesse, C. Rossow, B. Stone-Gross, D. Plohmann, and H. Bos, “Highly resilient peer-to-peer botnets are here: An analysis of gameover zeus,” in 2013 8th International Conference on Malicious and Unwanted Software:" The Americas"(MALWARE). IEEE, 2013, pp. 116–123.
  12. D. Plohmann, K. Yakdan, M. Klatt, J. Bader, and E. GerhardsPadilla, “A comprehensive measurement study of domain generating malware,” in 25th USENIX Security Symposium (USENIX Security 16), 2016, pp. 263–278.
  13. B. Farinholt, M. Rezaeirad, P. Pearce, H. Dharmdasani, H. Yin, S. Le Blond, D. McCoy, and K. Levchenko, “To catch a ratter: Monitoring the behavior of amateur darkcomet rat operators in the wild,” in 2017 IEEE symposium on Security and Privacy (SP). Ieee, 2017, pp. 770–787.
  14. dragos.com, “Suspected Conti Ransomware Activity in the Auto Manufacturing Sector,” https://www.dragos.com/blog/industry-news/suspected-conti-ransomware-activity-in-the-auto-manufacturing-sector/, 2022, [Accessed 22-Nov-2022].
  15. AnubisLabs, “Dridex: Chasing a botnet from the inside,”BitSight, Tech. Rep., 2015. [Online]. Available: https://cdn2.hubspot.net/hubfs/507516/ANB_MIR_Dridex_PRv7_final.pdf
  16. F. M. Alexis Dorais-Joncas, “Jumping the air gap: 15 years of nationstate effort,” ESET Research, Tech. Rep., 2021. [Online]. Available: https://web-assets.esetstatic.com/wls/2021/12/eset_jumping_the_air_gap_wp.pdf
  17. V. Pasca, “A Detailed Analysis of the Gafgyt Malware Targeting IoT Devices,” SecurityScorecard, Tech. Rep., 2022. [Online]. Available: https://securityscorecard.com/wp-content/uploads/2024/01/Report-A-Detailed-Analysis-Of-The-Gafgyt-Malware-Targeting-IoT-Devices.pdf
  18. Y. Liu, “Lightweight Emulation based IOC Extraction for Gafgyt Botnets,” Qihoo 360 Technology, Tech. Rep., 2020. [Online]. Available: https://vb2020.vblocalhost.com/uploads/VB2020-Liu.pdf
  19. J. Gamblin. Mirai BotNet Source Code. Github (jgamblin). [Online]. Available: https://github.com/jgamblin/Mirai-Source-Code
  20. M. J. Erquiaga. Analysis of an IRC based Botnet. Stratosphere Lab. [Online]. Available: https://www.stratosphereips.org/blog/2019/4/12/analysis-of-a-irc-based-botnet
  21. M. Ashraf. Deep Analysis of Snake Keylogger. Github (xjunior). [Online]. Available: https://x-junior.github.io/malware%20analysis/2022/06/24/Snakekeylogger.html
  22. B. BAKARTEPE and bixploit, “Agent Tesla Technical Analysis Report,” EchoCTI, Tech. Rep., 2024. [Online]. Available: https://github.com/echocti/ECHO-Reports/blob/main/Malware%20Analysis%20Report/Agent%20Tesla/Agent%20Tesla%20Technical%20Analysis%20Report.pdf
  23. B. Duncan. Agent Tesla Updates SMTP Data Exfiltration Technique. InfoSec Handlers Diary Blog. [Online]. Available: https://isc.sans.edu/diary/rss/28190
  24. G. Orlando. Malware Analysis - AgentTesla v3. [Online]. Available: https://guillaumeorlando.github.io/AgentTesla
  25. ASEC. Amadey Bot Being Distributed Through SmokeLoader. AhnLab. [Online]. Available: https://asec.ahnlab.com/en/36634/
  26. N. x CAT. AsyncRAT: Open-Source Remote Administration Tool For Windows (RAT). Github (NYAN-x-CAT). [Online]. Available: https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp/
  27. M. Adel. Aurora Stealer deep dive Analysis. d01a. [Online]. Available: https://d01a.github.io/aurora-stealer/
  28. Y. Harakhavik. Warzone: Behind the enemy lines. Check Point Research. [Online]. Available: https://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/
  29. M. Henkel. Decrypting AzoRult traffic for fun and profit. Medium mariohenkel. [Online]. Available: https://mariohenkel.medium.com/decrypting-azorult-traffic-for-fun-and-profit-9f28d8638b05
  30. C. Dong. BAZARLOADER: Analysing The Main Loader. 0ffset Blog. [Online]. Available: https://www.0ffset.net/reverse-engineering/analysing-the-main-bazarloader/
  31. T. D. Report. BazarLoader to Conti Ransomware in 32 Hours. The DFIR Report. [Online]. Available: https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/
  32. J. Bader. Yet Another Bazar Loader DGA. Johannes Bader’s Blog. [Online]. Available: https://johannesbader.ch/blog/yet-another-bazarloader-dga/
  33. A. Fortuna. How to detect Brute Ratel activities. Andrea Fortuna’s Blog. [Online]. Available: https://andreafortuna.org/2023/02/23/how-to-detect-brute-ratel-activities
  34. S. T. R. Team. Deliver a Strike by Reversing a Badger: Brute Ratel Detection and Analysis. splunk. [Online]. Available: https://www.splunk.com/en_us/blog/security/deliver-a-strike-by-reversing-a-badger-brute-ratel-detection-and-analysis.html
  35. S. D. Souza, “Tracking Bumblebee’s Development,” Botconf, Tech. Rep., 2023. [Online]. Available: https://www.botconf.eu/wp-content/uploads/formidable/2/2023_4889_DESOUZA.pdf
  36. J. Bader. The DGA of BumbleBee. Johannes Bader’s Blog. [Online]. Available: https://bin.re/blog/the-dga-of-bumblebee/
  37. A. Bleih. GuLoader Downloaded: A Look at the Latest Iteration. CyberInt. [Online]. Available: https://cyberint.com/blog/other/guloader-downloaded-a-look-at-the-latest-iteration/
  38. A. Osipov. GuLoader Campaign Targets Law Firms in the US. Morphisec. [Online]. Available: https://blog.morphisec.com/guloader-campaign-targets-law-firms-in-the-us
  39. T. Haruyama, “Knock, knock, Neo. - Active C2 Discovery Using Protocol Emulation,” VMWare Carbon Black, Tech. Rep., 2021. [Online]. Available: https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_201_haruyama_jp.pdf
  40. A. A. A. Team. Modified CryptBot Infostealer Being Distributed. AhnLab. [Online]. Available: https://asec.ahnlab.com/en/31802/
  41. ANY.RUN. CryptBot Infostealer: Malware Analysis. ANY.RUN. [Online]. Available: https://any.run/cybersecurity-blog/cryptbot-infostealer-malware-analysis/
  42. @0xToxin. DarkGate - Threat Breakdown Journey. 0xToxin Labs. [Online]. Available: https://0xtoxin.github.io/threat%20breakdown/DarkGate-Camapign-Analysis/
  43. M. Choi. Detailed Analysis of DarkGate; Investigating new top-trend backdoor malware. S2W LAB Inc. [Online]. Available: https://medium.com/s2wblog/detailed-analysis-of-darkgate-investigating-new-top-trend-backdoor-malware-0545ecf5f606
  44. G. Palazolo. DBatLoader: Abusing Discord to Deliver Warzone RAT. Netskope. [Online]. Available: https://www.netskope.com/blog/dbatloader-abusing-discord-to-deliver-warzone-rat
  45. B. Duncan. Malspam pushes ModiLoader (DBatLoader) infection for Remcos RAT. SANS ISC. [Online]. Available: https://isc.sans.edu/diary/Malspam+pushes+ModiLoader+DBatLoader+infection+for+Remcos+RAT/29896
  46. M. H. Ali. A deep dive into DCRAT/DarkCrystalRAT malware. Github (muha2xmad). [Online]. Available: https://muha2xmad.github.io/malware-analysis/dcrat/
  47. J. Thompson. Analyzing Dark Crystal RAT, a C# backdoor. FireEye. [Online]. Available: https://www.fireeye.com/blog/threat-research/2020/05/analyzing-dark-crystal-rat-backdoor.html
  48. A. C. Silverio, J. M. Abordo, K. J. Morales, and M. E. Viray. Bruised but Not Broken: The Resurgence of the Emotet Botnet Malware. Trend Micro. [Online]. Available: https://www.trendmicro.com/en_us/research/22/e/bruised-but-not-broken--the-resurgence-of-the-emotet-botnet-malw.html
  49. d00rt. Emutet. Github (d00rt). [Online]. Available: https://github.com/d00rt/emotet_network_protocol
  50. R. Holt. How Emotet is changing tactics in response to Microsoft’s tightening of Office macro security. ESET Research. [Online]. Available: https://www.welivesecurity.com/2022/06/16/how-emotet-is-changing-tactics-microsoft-tightening-office-macro-security/
  51. J. Vicente and B. Stone-Gross. Analysis of Xloader’s C2 Network Encryption. Zscaler. [Online]. Available: https://www.zscaler.com/blogs/security-research/analysis-xloaders-c2-network-encryption
  52. R. Jullian, “FORMBOOK In-depth malware analysis,” Botconf, Tech. Rep., 2018. [Online]. Available: https://www.botconf.eu/wp-content/uploads/2018/12/2018-R-Jullian-In-depth-Formbook-Malware-Analysis.pdf
  53. A. Elshinbary. Deep Analysis of GCleaner. N1ght-W0lf Blog. [Online]. Available: https://n1ght-w0lf.github.io/malware%20analysis/gcleaner-loader/
  54. D. Harley. TDL4 and Glupteba: Piggyback PiggyBugs. ESET Research. [Online]. Available: https://www.welivesecurity.com/2011/03/02/tdl4-and-glubteba-piggyback-piggybugs/
  55. J. Hořejší and J. C. Chen. Glupteba Campaign Hits Network Routers and Updates C&C Servers with Data from Bitcoin Transactions. Trend Micro. [Online]. Available: https://blog.trendmicro.com/trendlabs-security-intelligence/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions/
  56. A. Brandt. Glupteba malware hides in plain sight. Sophos Labs. [Online]. Available: https://news.sophos.com/en-us/2020/06/24/glupteba-report/?cmp=30728
  57. X. Zhang. Analysis of a New HawkEye Variant. Fortinet. [Online]. Available: https://www.fortinet.com/blog/threat-research/hawkeye-malware-analysis.html
  58. I. Migdal. HawkEye Analysis. [Online]. Available: https://github.com/itaymigdal/malware-analysis-writeups/blob/main/HawkEye/HawkEye.md
  59. gbrindisi. Gozi ISFB Sourceccode. Github (gbrindisi). [Online]. Available: https://github.com/gbrindisi/malware/tree/master/windows/gozi-isfb
  60. A. Koren. Ursnif Malware: Deep Technical Dive. Ariel Koren’s Blog. [Online]. Available: https://arielkoren.com/blog/2016/11/01/ursnif-malware-deep-technical-dive/
  61. B. Duncan. Wireshark Tutorial: Examining Ursnif Infections. Palo Alto Networks Unit 42. [Online]. Available: https://unit42.paloaltonetworks.com/wireshark-tutorial-examining-ursnif-infections/
  62. A. K. Sood. LokiBot: dissecting the C&C panel deployments. Virus Bulletin. [Online]. Available: https: //www.virusbulletin.com/virusbulletin/2020/02/lokibot-dissecting-cc-panel-deployments/
  63. G. Pellegrino, “Deep Analysis of a Recent Lokibot Attack,” Infoblox, Tech. Rep., 2021. [Online]. Available: https://www.infoblox.com/wp-content/uploads/infoblox-whitepaper-deep-analysis-of-a-recent-lokibot-attack.pdf
  64. eSentire. The Case of LummaC2 v4.0. eSentire. [Online]. Available: https://www.esentire.com/blog/the-case-of-lummac2-v4-0
  65. G. C. Security. What is Lumma Stealer? Gridinsoft. [Online]. Available: https://gridinsoft.com/spyware/lumma-stealer
  66. FR3D.HK. MassLogger - Frankenstein’s Creation. FR3D.HK. [Online]. Available: https://fr3d.hk/blog/masslogger-frankenstein-s-creation
  67. A. Klopsch. Harmful Logging - Diving into MassLogger. Gdata. [Online]. Available: https://www.gdatasoftware.com/blog/2020/06/36129-harmful-logging-diving-into-masslogger
  68. J. F. NanoCore RAT Hunting Guide. Medium the_abjuri5t. [Online]. Available: https://medium.com/@the_abjuri5t/nanocore-rat-hunting-guide-cb185473c1e0
  69. CIRCL. TR-23 Analysis - NetWiredRC malware. CIRCL. [Online]. Available: https://www.circl.lu/pub/tr-23/
  70. P. D. Silva, R. Downs, and R. Olson. New Release: Decrypting NetWire C2 Traffic. Palo Alto Networks Unit 42. [Online]. Available: http://researchcenter.paloaltonetworks.com/2014/08/new-release-decrypting-netwire-c2-traffic/
  71. CyberMasterV. Just another analysis of the njRAT malware – A step-by-step approach. CYBER GEEKS All Things Infosec. [Online]. Available: https://cybergeeks.tech/just-another-analysis-of-the-njrat-malware-a-step-by-step-approach/
  72. M. de Jesus, F. Yarochkin, and P. Pajares. New Panda Stealer Targets Cryptocurrency Wallets. Trend Micro. [Online]. Available: https://www.trendmicro.com/en_us/research/21/e/new-panda-stealer-targets-cryptocurrency-wallets-.html
  73. C. Research. Phorpiex Arsenal: Part I. Checkpoint. [Online]. Available: https://research.checkpoint.com/2020/phorpiex-arsenal-part-i/
  74. A. Bukhteyev. Phorpiex Breakdown. Check Point. [Online]. Available: https://research.checkpoint.com/2019/phorpiex-breakdown/
  75. J. Bader. Phorpiex - An IRC worm. Johannes Bader Blog. [Online]. Available: https://bin.re/blog/phorpiex/
  76. S. Frankoff. PhotoLoader ICEDID. OALabs. [Online]. Available: https://research.openanalysis.net/icedid/bokbot/photoloader/config/2023/04/06/photoloader.html
  77. B. Abdo, B. McKeague, and V. Ta. So Unchill: Melting UNC2198ICEDID to Ransomware Operations. FireEye. [Online]. Available: https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html
  78. P. Trouerbach, K. Merriman, and J. Wise. Fork in the Ice: The New Era of IcedID. Proofpoint. [Online]. Available: https://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid
  79. N. Pantazopoulos. The (D)Evolution of Pikabot. Zscaler. [Online]. Available: https://www.zscaler.com/blogs/security-research/d-evolution-pikabot
  80. T. T. Kien and m4n0w4r. [QuickNote] Technical Analysis of recent Pikabot Core Module. kienmanowar Blog. [Online]. Available: https://kienmanowar.wordpress.com/2024/01/06/quicknote-technical-analysis-of-recent-pikabot-core-module/
  81. M. Adel. Pikabot deep analysis. d01a. [Online]. Available: https://d01a.github.io/pikabot/
  82. Intel 471. PrivateLoader: The first step in many malware schemes. Intel 471. [Online]. Available: https://intel471.com/blog/privateloader-malware
  83. D. Schwarz and B. Stone-Gross. Peeking into PrivateLoader. Zscaler. [Online]. Available: https://www.zscaler.com/blogs/security-research/peeking-privateloader
  84. C. François. QBOT Malware Analysis. Elastic. [Online]. Available: https://www.elastic.co/security-labs/qbot-malware-analysis
  85. I. Kenefick, L. Silva, and N. Hernandez. Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike. Trend Micro. [Online]. Available: https://www.trendmicro.com/de_de/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html
  86. J. Vicente. Tracking 15 Years of Qakbot Development. Zscaler. [Online]. Available: https://www.zscaler.com/blogs/security-research/tracking-15-years-qakbot-development
  87. Embee_research. Quasar Rat Analysis - Identification of 64 Quasar Servers Using Shodan and Censys. embeeresearch. [Online]. Available: https://embee-research.ghost.io/hunting-quasar-rat-shodan
  88. A. Stratton. Raccoon Stealer v2 Malware Analysis. Infosec Writeups. [Online]. Available: https://infosecwriteups.com/raccoon-stealer-v2-malware-analysis-55cc33774ac8
  89. ANY.RUN. Raccoon Stealer 2.0 Malware analysis. ANY.RUN. [Online]. Available: https://any.run/cybersecurity-blog/raccoon-stealer-v2-malware-analysis/
  90. muzi. THE TRASH PANDA REEMERGES FROM THE DUMPSTER: RACCOON STEALER V2. MalwareBookReports. [Online]. Available: https://malwarebookreports.com/the-trash-panda-reemerges-from-the-dumpster-raccoon-stealer-v2/
  91. I. Malihi. RedLine Stealer Malware Analysis. [Online]. Available: https://medium.com/@idan_malihi/redline-stealer-malware-analysis-76506ef723ab
  92. M. Khalil. RedLine Technical Analysis Report. Apophis133. [Online]. Available: https://web.archive.org/web/20230606224056/https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152
  93. X. Zhang and C. Navarrete. New Variant of Remcos RAT Observed In the Wild. Fortinet. [Online]. Available: https://www.fortinet.com/blog/threat-research/new-variant-of-remcos-rat-observed-in-the-wild.html
  94. B. BAKARTEPE and bixploit, “Rhdamanthys Technical Analysis Report,” EchoCTI, Tech. Rep., 2023. [Online]. Available: https://github.com/echocti/ECHO-Reports/blob/main/Malware%20Analysis%20Report/Rhdamanthys/Rhadamanthys-EN.pdf
  95. hasherezade. From Hidden Bee to Rhadamanthys - The Evolution of Custom Executable Formats. Checkpoint. [Online]. Available: https://research.checkpoint.com/2023/from-hidden-bee-to-rhadamanthys-the-evolution-of-custom-executable-formats/
  96. K. Hahn. SectopRAT: New version adds encrypted communication. G Data. [Online]. Available: https://www.gdatasoftware.com/blog/2021/02/36633-new-version-adds-encrypted-communication
  97. BlackPoint, “Ratting Out Arechclient2,” BlackPoint, Tech. Rep., 2022. [Online]. Available: https://cdn-production.blackpointcyber.com/wp-content/uploads/2022/11/01161208/Blackpoint-Cyber-Ratting-out-Arechclient2-Whitepaper.pdf
  98. K. Hayashi. Analysis of Smoke Loader in New Tsunami Campaign. Palo Alto Networks Unit 42. [Online]. Available: https://unit42.paloaltonetworks.com/analysis-of-smoke-loader-in-new-tsunami-campaign/
  99. P. Trouerbach. SmokeLoader - The Pandora’s box of Tricks. YouTube (BSides Portland). [Online]. Available: https://youtu.be/QOypldw6hnY?t=3237
  100. BitSight. Unveiling Socks5Systemz: The Rise of a New Proxy Service via PrivateLoader and Amadey. BitSight. [Online]. Available: https://bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey
  101. B. BAKARTEPE and bixploit, “StealC Technical Analysis Report,” EchoCTI, Tech. Rep., 2023. [Online]. Available: https://github.com/echocti/ECHO-Reports/blob/main/Malware%20Analysis%20Report/StealC/StealC_Technical_Analysis_Report.pdf
  102. R. Bhat. Neutralizing Tofsee Spambot – Part 3 | Network-based kill switch. Spamhaus. [Online]. Available: https://www.spamhaus.com/resource-center/neutralizing-tofsee-spambot-part-3-network-based-kill-switch/
  103. M. Kotowicz and J. Jedynak, “Peering into spam botnets,” CERT.PL, Tech. Rep., 2017. [Online]. Available: https://lokalhost.pl/txt/peering.into.spam.botnets.VirusBulletin2017.pdf
  104. GovCERT.ch. Tofsee Spambot features .ch DGA - Reversal and Countermesaures. GovCERT.ch. [Online]. Available: https://web.archive.org/web/20220916181147/https://www.govcert.ch/blog/tofsee-spambot-features-.ch-dga-reversal-and-countermesaures/
  105. fumik0. Let’s dig into Vidar – An Arkei Copycat/Forked Stealer (In-depth analysis). fumik0 blog. [Online]. Available: https://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/
  106. A. Holland. Tracking Vidar Infrastructure with Censys. Censys. [Online]. Available: https://censys.com/tracking-vidar-infrastructure/
  107. K. Merriman and P. Trouerbach. Out of the Sandbox: WikiLoader Digs Sophisticated Evasion. Proofpoint. [Online]. Available: https://www.proofpoint.com/us/blog/threat-insight/out-sandbox-wikiloader-digs-sophisticated-evasion
  108. C. Hammond, O. Villadsen, and K. Metrick. Stealthy WailingCrab Malware misuses MQTT Messaging Protocol. IBM. [Online]. Available: https://securityintelligence.com/x-force/wailingcrab-malware-misues-mqtt-messaging-protocol/
  109. I. Lytzki. XWorm Malware: Exploring C&C Communication. ANY.RUN. [Online]. Available: https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/
  110. 0xMrMagnezi. Malware Analysis - XWorm. Medium b.magnezi. [Online]. Available: https://medium.com/@b.magnezi/malware-analysis-xworm-80b3bbb072fb
  111. R. Huessy. MalwareBazaar database. abuse.ch. [Online]. Available: https://bazaar.abuse.ch/
  112. J. Bremer. Triage Sandbox. Hatching.io. [Online]. Available: https://hatching.io/triage/
  113. P. Cowman. Triage Thursday Episode 1: Open registration and a busy week of updates. Hatching.io. [Online]. Available: https://hatching.io/blog/pcapng-https/
  114. D. Plohmann, K. Yakdan, M. Klatt, J. Bader, and E. GerhardsPadilla, “A comprehensive measurement study of domain generating malware,” in 25th USENIX Security Symposium (USENIX Security 16). Austin, TX: USENIX Association, Aug. 2016, pp. 263–278. [Online]. Available: https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/plohmann
  115. I. Ghafir, V. Prenosil, M. Hammoudeh, L. Han, and U. Raza, “Malicious ssl certificate detection: A step towards advanced persistent threat defence,” in Proceedings of the international conference on future networks and distributed systems, 2017.