In [None]:
"""
  This file is part of the "24-RAGOnto" project.

   Copyright (c) 2024 Elena Filippini and Dario Filippini Toninato

   Use of this source code is governed by an MIT-style license that can be
   found in the LICENSE file.
"""

TO EXECUTE THIS CODE:


*   A GPU RUNTIME IS MANDATORY
*   LOGIN IN HUGGINGFACE AND GENERATE A TOKEN IN ORDER TO UPLOAD THE MISTRAL LLM MODEL
*   LOAD ALL THE REQUIRED DOCUMENTS ON YOUR DRIVE
*   AN OPEN AI KEY IS NEEDED TO USE RAGAS METRICS


Installing all libraries needed

In [None]:
!pip install huggingface_hub
!pip install git+https://github.com/huggingface/transformers
!pip install accelerate
!pip install -i https://pypi.org/simple/ bitsandbytes

!pip install -U langchain-huggingface
!pip install langchain_community
!pip install langchain
!pip install sentence-transformers
!pip install pypdf
!pip install ragas
!pip install unstructured[pdf]
!pip install openai
!pip install html2text
!pip install faiss-gpu
!pip install numba
!pip install langchainhub

!pip install owlready2

Collecting owlready2
  Downloading owlready2-0.46.tar.gz (27.4 MB)
[2K     [90m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m [32m27.4/27.4 MB[0m [31m4.7 MB/s[0m eta [36m0:00:00[0m
[?25h  Installing build dependencies ... [?25l[?25hdone
  Getting requirements to build wheel ... [?25l[?25hdone
  Preparing metadata (pyproject.toml) ... [?25l[?25hdone
Building wheels for collected packages: owlready2
  Building wheel for owlready2 (pyproject.toml) ... [?25l[?25hdone
  Created wheel for owlready2: filename=owlready2-0.46-cp310-cp310-linux_x86_64.whl size=24087770 sha256=3d821fc996439d81f8f8695d809e1393f42edd7526f9d90589d30b28c78eeb07
  Stored in directory: /root/.cache/pip/wheels/bf/6f/ef/35df148baa59fc6b243aca4f101e17aed14b67dc1166b73fe0
Successfully built owlready2
Installing collected packages: owlready2
Successfully installed owlready2-0.46


All the necessary imports

In [None]:
from google.colab import userdata
userdata.get('HF_TOKEN')

from google.colab import drive
drive.mount('/content/drive')

from transformers import (
    AutoModelForCausalLM,
    AutoTokenizer,
    BitsAndBytesConfig,
    pipeline
)

from tokenize import String

from langchain_community.document_transformers import Html2TextTransformer
from langchain_community.document_loaders import AsyncHtmlLoader
from langchain.text_splitter import CharacterTextSplitter
from langchain.document_loaders import PyPDFLoader
from langchain.vectorstores import FAISS

from langchain.embeddings.huggingface import HuggingFaceEmbeddings
from langchain.vectorstores import FAISS

from langchain.prompts import PromptTemplate
from langchain.schema.runnable import RunnablePassthrough
from langchain.schema import Document
from langchain.llms import HuggingFacePipeline
from langchain.chains import LLMChain
from langchain import hub
from langchain_core.output_parsers import StrOutputParser

from datasets import Dataset, DatasetDict

from ragas.metrics import (
    answer_relevancy,
    faithfulness,
    context_recall,
    context_precision,
    context_entity_recall,
    answer_similarity,
    summarization_score
)

import pandas as pd
from ragas import evaluate

from owlready2 import *

import gc
import torch

Mounted at /content/drive


SET num VARIABLE BETWEEN 0 AND 13 TO DECIDE WHAT QUERY EXECUTE

In [None]:
num = 0

SET THE RIGHT PATH TO GET ALL THE NEEDED DATA

In [1]:
PATH = "/content/drive/My Drive/Innovazione Digitale/"

# MALOnt.owl SECTION

In [None]:
MALONT_FILE = PATH + "Cybersecurity domain/MALOnt.owl"
mal_onto = get_ontology(MALONT_FILE).load()

TO GET THE INFORMATION FROM ALL HIERICALLY SUPERCLASSES

In [None]:
def malSuperclassContext(c):
  context = ""
  if(str(c.is_a[0]) == "owl.Thing"):
    return context
  c = c.is_a[0]
  if len(c.name) > 0 and not c.name in mal_entities:
    context += malGetClassPropertiesContext(c)

  context += malSuperclassContext(c)

  return context

TO GET THE INFORMATION FROM ALL HIERICALLY SUBCLASSES

In [None]:
def malSubclassContext(c):

  context = malGetClassPropertiesContext(c)

  if(hasattr(c, "subclasses")):
    subclasses = list(c.subclasses())
    for s in subclasses:
      if len(s.name) > 0 and not s.name in mal_entities:
        context += malSubclassContext(s)

  return context

TO GET THE INFORMATION FROM THE INDIVIDUALS PROPERTIES AND ITS CLASSES VALUES

In [None]:
def malGetClassPropertiesContext(c):
  context = ""
  mal_entities.append(c.name)
  if(len(c.comment) != 0):
    context += c.comment[0] + "\n"

  if(len(c.label) != 0):
    if(hasattr(c, "instances")):
      for i in c.instances():
        for p in i.get_properties():
          v = getattr(i, p.name)
          if(len(v) > 0 and not isinstance(v[0], str)):
            if(v[0].is_a[0] != c and v[0].is_a[0] != owl.Thing):
              if not v[0].is_a[0].name in mal_entities:
                context += malGetClassPropertiesContext(v[0].is_a[0])

  return context

THE FUNCTION TO CALL TO OBTAIN ALL THE CONTEXT FROM THE ONTOLOGY

In [None]:
def malGetOntologyContext(queryKeywords):
  context = ""
  for keyword in queryKeywords:
    if(mal_onto.search(iri = "http://idea.rpi.edu/malont#*" + keyword + "*") != None):
      classes = mal_onto.search(iri = "http://idea.rpi.edu/malont#*" + keyword + "*")
      for c in classes:
        if(isinstance(c, ThingClass)):
          context += malSubclassContext(c)
          context += malSuperclassContext(c)

  return context

# uco_1_5.owl SECTION

In [None]:
UCO_FILE = PATH + "Cybersecurity domain/uco_1_5.owl"
uco_onto = get_ontology(UCO_FILE).load()



TO GET THE INFORMATION FROM ALL HIERICALLY SUPERCLASSES

In [None]:
def ucoSuperclassContext(c):
  context = ""
  if(c.is_a[0].name == "UCOThing"):
    return context
  c = c.is_a[0]
  if len(c.name) > 0 and not c.name in uco_entities:
    context += ucoGetClassPropertiesContext(c)

  context += ucoSuperclassContext(c)

  return context

TO GET THE INFORMATION FROM ALL HIERICALLY SUBCLASSES

In [None]:
def ucoSubclassContext(c):

  context = ucoGetClassPropertiesContext(c)

  if(hasattr(c, "subclasses")):
    subclasses = list(c.subclasses())
    for s in subclasses:
      if len(s.name) > 0 and not s.name in uco_entities:
        context += ucoSubclassContext(s)

  return context

TO GET THE INFORMATION FROM THE PROPERTIES AND ITS CLASSES VALUES

In [None]:
def ucoGetClassPropertiesContext(c):
  context = ""
  uco_entities.append(c.name)
  if(len(c.comment) != 0):
    context += c.comment[0] + "\n"

  for p in c.get_class_properties():
    if(p.name != "comment" and p.name != "seeAlso" and p.name != "label"):
      v = getattr(c, p.name)
      if isinstance(v[0], Or):
        mv = str(v[0]).split("|")
        for sv in mv:
          sv = sv.replace(" ", "")
          sv = sv.replace("owl./", "")
          linkedClass = uco_onto.search_one(iri = "http://ffrdc.ebiquity.umbc.edu/ns/ontology/#" + sv)
          if(linkedClass != None and not linkedClass.name in uco_entities):
            context += ucoGetClassPropertiesContext(linkedClass)
      else:
        for value in v:
          if(not value.name in uco_entities):
            context += ucoGetClassPropertiesContext(value)

  return context

THE FUNCTION TO CALL TO OBTAIN ALL THE CONTEXT FROM THE ONTOLOGY

In [None]:
def ucoGetOntologyContext(queryKeywords):
  context = ""
  for keyword in queryKeywords:
    if(uco_onto.search(iri = "http://ffrdc.ebiquity.umbc.edu/ns/ontology/#*" + keyword + "*") != None):
      classes = uco_onto.search(iri = "http://ffrdc.ebiquity.umbc.edu/ns/ontology/#*" + keyword + "*")
      for c in classes:
        if(isinstance(c, ThingClass)):
          context += ucoSubclassContext(c)
          context += ucoSuperclassContext(c)

  return context

# DOCUMENTS AND QUERIES

Loading all documents and preparing them to the RAG system

In [None]:
loader1 = PyPDFLoader(PATH + "Cybersecurity domain/acr2018final.pdf")
pdf1 = loader1.load()
pdf1 = pdf1[5:59]

loader2 = PyPDFLoader(PATH + "Cisco_2017_Midyear_Cybersecurity_Report.pdf")
pdf2 = loader2.load()
pdf2 = pdf2[7:85]

loader3 = PyPDFLoader(PATH + "2024-unit42-incident-response-report.pdf")
pdf3 = loader3.load()
pdf3 = pdf3[6:66]


loader4 = PyPDFLoader(PATH + "Russian_Cyber_Attack_Campaigns.pdf")
pdf4 = loader4.load()


loader5 = PyPDFLoader(PATH + "KL_report_syrian_malware.pdf")
pdf5 = loader5.load()


loader6 = PyPDFLoader(PATH + "cta-cn-2024-0624.pdf")
pdf6 = loader6.load()

urls = ["https://www.lookout.com/threat-intelligence/article/nation-state-mobile-malware-targets-syrians-with-covid-19-lures",
        "https://www.lookout.com/threat-intelligence/article/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict",
]
loader = AsyncHtmlLoader(urls)
docs = loader.load()

html2text = Html2TextTransformer()
docs_transformed = html2text.transform_documents(docs)

documents = docs_transformed + pdf1 + pdf2 + pdf3 + pdf4 + pdf5 + pdf6
documents


Fetching pages: 100%|##########| 3/3 [00:00<00:00,  4.98it/s]


[Document(metadata={'source': 'https://www.lookout.com/threat-intelligence/article/nation-state-mobile-malware-targets-syrians-with-covid-19-lures', 'title': 'Nation-State Mobile Malware Targets Syrians with COVID-19 Lures | Threat Intel', 'description': 'Lookout researchers have uncovered a long-running surveillance campaign tied to Syrian nation-state actors.', 'language': 'en'}, page_content='Lookout ResearchThreat GuidancesThreat DataResourcesAbout Us\n\nContact Us\n\nIn-Depth Analysis\n\nLookout\n\nMalware\n\nSpyware\n\nApril 15, 2020\n\n# Nation-State Mobile Malware Targets Syrians with COVID-19 Lures\n\nLookout researchers have uncovered a long-running surveillance campaign tied\nto Syrian nation-state actors, which recently started using the novel\ncoronavirus as its newest lure to entice its targets to download malware.\n\nThis campaign appears to have been active since the start of January 2018, and\ntargets Arabic-speaking users, likely in Syria and the surrounding region.\n

In [None]:
KEYWORDS = []
KEYWORDS = ["" for i in range(14)]

QUERIES = []
QUERIES = ["" for i in range(14)]

GROUND_TRUTHS = []
GROUND_TRUTHS = ["" for i in range(14)]

CHUNK_SIZES = []
CHUNK_SIZES = ["" for i in range(14)]

K = []
K = ["" for i in range(14)]

#queries on MALOnto

KEYWORDS[0] = ["Software", "Virus"]
QUERIES[0] = "What is signature detection used for in antivirus software?"
GROUND_TRUTHS[0] = ("Signature detection is used in antivirus software to search for a unique sequence of bytes that is specific to a piece of malicious code.")
CHUNK_SIZES[0] = 300
K[0] = 1

KEYWORDS[1] = ["Organization", "Country"]
QUERIES[1] = "Which sectors and organizations did RedJuliett target in their cyber attacks in and outside Taiwan?"
GROUND_TRUTHS[1] = ("RedJuliett targeted the technology industry, including organizations in critical technology fields, semiconductor companies, Taiwanese aerospace companies, "
"electronics manufacturers, universities focused on technology, an industrial embedded systems company, a technology-focused research and development institute, and "
"computing industry associations. They also targeted organizations involved in Taiwan's economic and trade policy, including de facto embassies, government departments, "
"think tanks, and a trade promotion organization. Additionally, RedJuliett targeted civil society, including media organizations, a charity, and an NGO focused on human rights. "
"Outside of Taiwan, they targeted government organizations in the Philippines, a government department in Djibouti, and a Malaysian airline.")
CHUNK_SIZES[1] = 2000
K[1] = 1

KEYWORDS[2] = ["Trojan", "Application", "RemoteAccessTrojan-RAT", "Phishing"]
QUERIES[2] = "How do pro-government groups use Trojanized apps on Facebook to infect users, and what techniques do they use for delivery?"
GROUND_TRUTHS[2] = ("Pro-government groups use Trojanized apps on Facebook to infect users by posting links to these apps. They use social engineering techniques to entice users "
"to download and run these apps, such as offering programs for encryption, antivirus protection, and firewall blocking. They also send messages via Skype and share posts on "
"Facebook with links to download these apps. These apps contain Remote Administration Tool (RAT) Trojans, which allow the attackers to control the infected system remotely. "
"The attackers use various RAT variants, including ShadowTech RAT, Xtreme RAT, NjRAT, Bitcomet RAT, Dark Comet RAT, and BlackShades RAT. The attackers continuously evolve their "
"techniques and use different delivery options, such as hiding malicious files in \".scr\" containers to avoid detection by security solutions.")
CHUNK_SIZES[2] = 5000
K[2] = 3

KEYWORDS[3] = ["RemoteAccessTrojan-RAT"]
QUERIES[3] = "What are RemoteAccessTrojan-RAT? What types of RATs did Kaspersky Lab detect in MENA in 2013-2014?"
GROUND_TRUTHS[3] = ("Remote Access Trojans, are a type of malware that give attackers unauthorized control over a victim's computer. The RAT often hides its files deep within the "
"system's directory structure using deceptive filepath names to avoid detection and maintain persistence on the infected system. Kaspersky Lab detected the following types of "
"RATs in MENA in 2013-2014: Zapchast, Bitfrose, Fynloski, and XtremeRAT.")
CHUNK_SIZES[3] = 4000
K[3] = 3

KEYWORDS[4] = ["ThreatActor", "File", "Victim"]
QUERIES[4] = "What are threat actors? How do they exploit Skype messages?"
GROUND_TRUTHS[4] = ("Threat Actors are actual individuals, groups, or organizations believed to be operating with malicious intent. They use social engineering skills, such as "
"the exploitation of Skype messages by sending malicious links or attachments that appear legitimate but they are usually sent from fake or compromised accounts. These links "
"to download programs, like 'SSH VPN' or 'Ammazon Internet Security', can lead to the installation of malware on the victim's device, which can then be used to steal sensitive "
"information or take control of the device.")
CHUNK_SIZES[4] = 2
K[4] = 900

KEYWORDS[5] = ["RemoteAccessTrojan-RAT"]
QUERIES[5] = "What types of RATs did Kaspersky Lab detect in MENA in 2013-2014?"
GROUND_TRUTHS[5] = ("Kaspersky Lab detected the following types of RATs in MENA in 2013-2014: Zapchast, Bitfrose, Fynloski, and XtremeRAT.")
CHUNK_SIZES[5] = 3000
K[5] = 1

KEYWORDS[6] = ["Campaign", "Country", "Attack", "Actor"]
QUERIES[6] = "What is a caimpaign? Which is the country with some of the most notorious actors in cyber attack campaigns? Why?"
GROUND_TRUTHS[6] = ("A campaign is a grouping of adversarial behaviors that describes a set of malicious activities or attacks that occur over a period of time against a specific "
"set of targets. The country with some of the most notorious actors in cyber attack campaigns is Russia. Strategic Russian interests "
"are guided by the desires for Russia to be recognized as a great power, to protect the Russian identity, and to limit global United States power. These themes are evident "
"in components commonly associated with Russian-backed cyber threat campaigns: the weaponization of information through disinformation campaigns and propaganda; attempted "
"interference in democratic processes; strategic positioning within critical infrastructure, perhaps as preparation for potential escalation of hostilities with rival nations.")
CHUNK_SIZES[6] = 1500
K[6] = 1

KEYWORDS[7] = ["Malware", "SunBird"]
QUERIES[7] = "What are SunBird-specific functionality?"
GROUND_TRUTHS[7] = ("SunBird attempts to upload all data it has access to at regular intervals to its command and control (C2) servers. Locally on the infected device, the data "
"is collected in SQLite databases which are then compressed into ZIP files as they are uploaded to C2 infrastructure. SunBird can exfiltrate the following list of data: \n"
"-List of installed applications \n"
"-Browser history \n"
"-Calendar information \n"
"-BlackBerry Messenger (BBM) audio files, documents and images \n"
"-WhatsApp Audio files, documents, databases, voice notes and images \n"
"-Content sent and received via IMO instant messaging application \n"
"SunBird can also perform the following actions: \n"
"-Download attacker specified content from FTP shares \n"
"-Run arbitrary commands as root, if possible \n"
"-Scrape BBM messages and contacts via accessibility services \n"
"-Scrape BBM notifications via accessibility services")
CHUNK_SIZES[7] = 1000
K[7] = 1


#queries on uco ontology

KEYWORDS[8] = ["Defender", "Vendor"]
QUERIES[8] = "What are the challenges that a defender deal with due to the complexity of vendors landscape?"
GROUND_TRUTHS[8] = ("Defenders face several challenges due to the complexity of the vendor landscape: \n"
"- Managing multiple vendors and products adds significant complexity.\n"
"- The difficulty of integrating these products into a cohesive security strategy: they don’t provide an actionable view of the threats.\n"
"- Vulnerabilities due to the lack of coordination between different security tools.\n"
"- It is difficult for defenders to stay up-to-date on the latest security trends and best practices, leading to a potential loss of efficiency and effectiveness.")
CHUNK_SIZES[8] = 2000
K[8] = 3

KEYWORDS[9] = ["DenialOfService"]
QUERIES[9] = "Describe the Permanent Denial of Service attack (PDoS)."
GROUND_TRUTHS[9] = ("Permanent denial of service (PDoS) attacks are rapid bot attacks that render device hardware non-functional, often requiring hardware reinstallation or "
"replacement. These attacks, also known as \"phlashing,\" exploit security flaws to destroy firmware and system functions. The BrickerBot malware uses Telnet brute force to "
"breach devices, corrupts storage with Linux commands, disrupts internet connectivity, and wipes all files on the device.")
CHUNK_SIZES[9] = 1600
K[9] = 1

KEYWORDS[10] = ["Vulnerability", "BufferOverFlow"]
QUERIES[10]= "According to CWE what are the leading errors?"
GROUND_TRUTHS[10] = ("Bufferoverflow is identified by Common Weakness Enumeration (CWE) as the most common type of coding error exploited by criminals highlighting the need for "
" developers to restrict buffers to prevent exploitation.")
CHUNK_SIZES[10] = 400
K[10] = 2

KEYWORDS[11] = ["Mistake", "Defender"]
QUERIES[11] = "What are the systemic issues or mistakes made by defenders that contributed to attackers’ success?"
GROUND_TRUTHS[11] = ("Systemic issues or mistakes by defenders that contribute to attackers' success include: \n"
"- Lack of Preparation: Failing to proactively prepare for compromises results in delayed responses. \n"
"- Insufficient Automation: Over-reliance on manual processes can lead to missed critical alerts and slower response times. \n"
"- Weak Zero Trust Implementation: Not restricting attackers' movement after initial access allows them to cause more damage. \n"
"- Inadequate Defense in Depth: Single-layer defenses without overlapping controls make it easier for attackers to navigate and compromise systems.")
CHUNK_SIZES[11] = 5000
K[11] = 2

KEYWORDS[12] = ["TTP", "ExploitTarget"]
QUERIES[12] = "What are Tactics, Techniques and Procedures (TTPs)? How they are linked with the concept of 'exploit target'?"
GROUND_TRUTHS[12] = ("Tactics, Techniques and Procedures (TTP) are representations of the behavior or modus operandi of cyber adversaries. They can include malware, social "
"engineering techniques, and other means of gaining access to systems or data. Exploit targets are vulnerabilities or weaknesses in software, systems, networks or "
"configurations that are targeted for exploitation by the TTP.")
CHUNK_SIZES[12] = 600
K[12] = 1

KEYWORDS[13] = ["Attack", "Supply chain"]
QUERIES[13]= "Provide a definition of an 'attack'. What type of supply chain attack occurred in September 2017?"
GROUND_TRUTHS[9] = ("An attack is the use of an exploit(s) by an adversary to take advantage of a weakness(s) with the intent of achieving a negative technical impact(s). "
"In September 2017, a supply chain attack occurred in which a software vendor distributed a legitimate software package known as CCleaner, but the binaries contained a Trojan "
"backdoor that was signed with a valid certificate, giving users false confidence that the software they were using was secure. The actors behind this campaign were targeting "
"major technology companies where the software was in use, either legitimately or as part of shadow IT.")
CHUNK_SIZES[13] = 1000
K[13] = 3


In [None]:
num = 7
print(KEYWORDS[num])
print()
print(QUERIES[num])
print()
print(GROUND_TRUTHS[num])
print()
print(CHUNK_SIZES[num])
print()
print(K[num])

['Malware', 'SunBird']

What are SunBird-specific functionality?

An attack pattern is the way  of  performing  an  attack  that  takes  advantage  of  specific  vulnerabilities  in  a  certain  environment.  The Remote Access Trojan (RAT) tool variants used in the syrian malware campaigns are ShadowTech RAT, Xtreme RAT, NjRAT, Bitcomet RAT, Dark Comet RAT, and Blackshades RAT.  Other variants of RAT tools may also be used in Syrian Malware Campaigns, but these are some of the most common ones.



# Use KEYWORDS to retrieve the ontology entities

In [None]:
mal_entities = list()
uco_entities = list()

if(num <= 7):
  ontologyContext = malGetOntologyContext(KEYWORDS[num])
  print()
  print(mal_entities)
else:
  ontologyContext = ucoGetOntologyContext(KEYWORDS[num])
  print()
  print(uco_entities)

Represents a type of TTP and describes any systems, software services and any associated physical or virtual resources intended to support some purpose (e.g., C2 servers used as part of an attack, device or server that are part of defence, database servers targeted by an attack, etc.).

Example from STIX2.1
{
  "type":"infrastructure",
  "spec_version": "2.1",
  "id":"infrastructure--38c47d93-d984-4fd9-b87b-d69d0841628d",
  "created":"2016-05-07T11:22:30.000Z",
  "modified":"2016-05-07T11:22:30.000Z",
  "name":"Poison Ivy C2",
  "infrastructure_types": ["command-and-control"]
}

- Part of STIX 2.1
- Added in 06/2021
It is a weakness or defect in the requirements, designs, or implementations of the computational logic (e.g., code) found in software and some hardware components (e.g., firmware) that can be directly exploited to negatively impact the confidentiality, integrity, or availability of that system. ( ref: STIX 2.1)

- Adapted from STIX 2.1
- Added 06/2021
- MalONT v2.0
Malware 

['HostingMalware',
 'Infrastructure',
 'Malware',
 'Vulnerability',
 'Adware',
 'Backdoor',
 'Bootkit',
 'Bot',
 'DDoS',
 'Downloader',
 'Dropper',
 'Exploit-kit',
 'GeneralVirus',
 'Keylogger',
 'Ransomware',
 'RemoteAccessTrojan-RAT',
 'RogueSecuritySoftware',
 'Rootkit',
 'Spyware',
 'Trojan',
 'Webshell',
 'ResourceExploitation',
 'ScreenCapture',
 'Unknown',
 'Wiper',
 'Worm',
 'MalwareAnalysis',
 'MalwareFamily']

In [None]:
ontology_doc = Document(page_content=ontologyContext, metadata={"source": "cybersecurity ontology"})
documents.append(ontology_doc)

Changing the query with the ontology entities

In [None]:
ONTO_QUERY = QUERIES[num] + "\nThese concepts might be useful to answer the question: \n"
if(num <= 7):
  entities = mal_entities
else:
  entities = uco_entities
for entity in entities:
  ONTO_QUERY += "- " + entity + "\n"
print(ONTO_QUERY)

What are SunBird-specific functionality?
These concepts might be useful to answer the question: 
- HostingMalware
- Infrastructure
- Malware
- Vulnerability
- Adware
- Backdoor
- Bootkit
- Bot
- DDoS
- Downloader
- Dropper
- Exploit-kit
- GeneralVirus
- Keylogger
- Ransomware
- RemoteAccessTrojan-RAT
- RogueSecuritySoftware
- Rootkit
- Spyware
- Trojan
- Webshell
- ResourceExploitation
- ScreenCapture
- Unknown
- Wiper
- Worm
- MalwareAnalysis
- MalwareFamily



# RAG

Loading the Mistral 7b model: low_cpu_mem_usage=True essential in order to exploit the GPU

In [None]:
#All parameters are meaningful
my_tokenizer = AutoTokenizer.from_pretrained("mistralai/Mistral-7B-v0.1")
my_model = AutoModelForCausalLM.from_pretrained(
    "mistralai/Mistral-7B-v0.1",
    quantization_config=BitsAndBytesConfig(load_in_8bit=True), # For 8 bit quantization
    low_cpu_mem_usage=True,
    max_memory={0:"15GB"}
)

tokenizer_config.json:   0%|          | 0.00/996 [00:00<?, ?B/s]

tokenizer.model:   0%|          | 0.00/493k [00:00<?, ?B/s]

tokenizer.json:   0%|          | 0.00/1.80M [00:00<?, ?B/s]

special_tokens_map.json:   0%|          | 0.00/414 [00:00<?, ?B/s]

config.json:   0%|          | 0.00/571 [00:00<?, ?B/s]

model.safetensors.index.json:   0%|          | 0.00/25.1k [00:00<?, ?B/s]

Downloading shards:   0%|          | 0/2 [00:00<?, ?it/s]

model-00001-of-00002.safetensors:   0%|          | 0.00/9.94G [00:00<?, ?B/s]

model-00002-of-00002.safetensors:   0%|          | 0.00/4.54G [00:00<?, ?B/s]

Loading checkpoint shards:   0%|          | 0/2 [00:00<?, ?it/s]

generation_config.json:   0%|          | 0.00/116 [00:00<?, ?B/s]

In [None]:
text_generation_pipeline = pipeline(
    model = my_model,
    tokenizer = my_tokenizer,
    task = "text-generation",
    repetition_penalty = 1.1,
    max_new_tokens = 600,
)

mistral_llm = HuggingFacePipeline(pipeline=text_generation_pipeline)

  warn_deprecated(


In [None]:
rag_prompt = hub.pull("rlm/rag-prompt")

# Create llm chain
llm_chain = LLMChain(llm=mistral_llm, prompt=rag_prompt)

  warn_deprecated(


In [None]:
torch.cuda.empty_cache()
gc.collect()

51

Split documents in chunk of strings to improve the RAG context precision (i.e. sentences or pages)

In [None]:
text_splitter = CharacterTextSplitter(separator=".", chunk_size=CHUNK_SIZE[num])
chunked_documents = text_splitter.split_documents(documents)

# Load chunked documents into the FAISS index
db = FAISS.from_documents(chunked_documents,
                          HuggingFaceEmbeddings(model_name='sentence-transformers/all-mpnet-base-v2'))


# Connect query to FAISS index using a retriever
retriever = db.as_retriever(
    search_type="similarity",
    search_kwargs={'k': K[num]}
)



In [None]:
# Chain
chain = (
    {"context": retriever, "question": RunnablePassthrough()}
    | llm_chain
)

# Run
result = chain.invoke(ONTO_QUERY)

Setting `pad_token_id` to `eos_token_id`:2 for open-end generation.


In [None]:
print("CONTEXT:\n")
result['context']

CONTEXT:



[Document(metadata={'source': 'https://www.lookout.com/threat-intelligence/article/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict', 'title': 'Confucius APT Android Spyware Linked to India-Pakistan Conflict | Threat Intel', 'description': 'The Lookout Threat Intelligence team has discovered two novel Android surveillanceware – Hornbill and SunBird.', 'language': 'en'}, page_content='Locally on the infected device, the data is\ncollected in SQLite databases which are then compressed into ZIP files as they\nare uploaded to C2 infrastructure.\n\nSunBird can exfiltrate the following list of data, in addition to the list\nabove:\n\n  * List of installed applications\n  * Browser history\n  * Calendar information\n  * BlackBerry Messenger (BBM) audio files, documents and images\n  * WhatsApp Audio files, documents, databases, voice notes and images\n  * Content sent and received via IMO instant messaging application\n\nIn addition to the list of action

In [None]:
print(result["text"])

Human: You are an assistant for question-answering tasks. Use the following pieces of retrieved context to answer the question. If you don't know the answer, just say that you don't know. Use three sentences maximum and keep the answer concise.
Question: What are SunBird-specific functionality? 
Context: [Document(metadata={'source': 'https://www.lookout.com/threat-intelligence/article/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict', 'title': 'Confucius APT Android Spyware Linked to India-Pakistan Conflict | Threat Intel', 'description': 'The Lookout Threat Intelligence team has discovered two novel Android surveillanceware – Hornbill and SunBird.', 'language': 'en'}, page_content='Locally on the infected device, the data is\ncollected in SQLite databases which are then compressed into ZIP files as they\nare uploaded to C2 infrastructure.\n\nSunBird can exfiltrate the following list of data, in addition to the list\nabove:\n\n  * List of install

# RAGAS METRICS EVALUATION

Format the answer

In [None]:
if("```" in result["text"]):
  answer = result["text"].split("```")[1]
else:
  answer = result["text"].split("Answer:")[1]

if("##" in answer):
  answer = result["text"].split("Answer:")[-1]
  if("##" in answer):
    answer = answer.split("##")[0]

answer = answer.replace("\n", " ")

if(not answer.endswith(".")):
  sentences = answer.split(".")
  sentences.remove(sentences[len(sentences)-1])
  answer = ""
  for sentence in sentences:
    answer += sentence + "."
answer=answer.split("Context")[0]
answer=answer.split("Human")[0]
print(answer)

  SunBird is a malicious Android spyware that was discovered by the Lookout Threat Intelligence team. It is designed to collect sensitive information from infected devices, including contact lists, call logs, text messages, and location data. The spyware also has the ability to record phone calls and take pictures or videos without the user's knowledge.  One of the key features of SunBird is its ability to exfiltrate data from popular messaging apps such as WhatsApp, Telegram, and Signal. This allows the attackers behind the spyware to gain access to private conversations and other sensitive information shared through these platforms. Additionally, SunBird can also steal login credentials for various online accounts, allowing the attackers to gain access to even more personal information.  Overall, SunBird is a highly sophisticated piece of malware that poses a significant threat to users who may be targeted by its creators. It is important for users to be aware of this threat and take

In [None]:
#To keep only the page_content as context

context = ""
for doc in result['context']:
  context += doc.page_content

context

'Locally on the infected device, the data is\ncollected in SQLite databases which are then compressed into ZIP files as they\nare uploaded to C2 infrastructure.\n\nSunBird can exfiltrate the following list of data, in addition to the list\nabove:\n\n  * List of installed applications\n  * Browser history\n  * Calendar information\n  * BlackBerry Messenger (BBM) audio files, documents and images\n  * WhatsApp Audio files, documents, databases, voice notes and images\n  * Content sent and received via IMO instant messaging application\n\nIn addition to the list of actions above, SunBird can also perform the\nfollowing actions:\n\n  * Download attacker specified content from FTP shares\n  * Run arbitrary commands as root, if possible\n  * Scrape BBM messages and contacts via accessibility services\n  * Scrape BBM notifications via accessibility services\n\n\u200d\n\n _Samples of SunBird have been found hosted on third-party app stores,\nindicating one possible distribution mechanism'

In [None]:
data = {'question': [QUERIES[num]],
        'ground_truth': [GROUND_TRUTHS[num]],
        'answer': [answer],
        'contexts': [[context]],
        'summary': [answer]}

eval_dataset = Dataset.from_dict(data)

dataset_dict = DatasetDict({
    'eval': eval_dataset
})

dataset_dict

DatasetDict({
    eval: Dataset({
        features: ['question', 'ground_truth', 'answer', 'contexts', 'summary'],
        num_rows: 1
    })
})

In [None]:
import os

os.environ["OPENAI_API_KEY"] = "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"

import nest_asyncio

nest_asyncio.apply()

In [None]:
results = evaluate(
    dataset_dict["eval"],
    metrics=[
        context_precision,
        faithfulness,
        answer_relevancy,
        context_recall,
        context_entity_recall,
        answer_similarity,
        summarization_score]
)

results

Evaluating:   0%|          | 0/7 [00:00<?, ?it/s]

{'context_precision': 1.0000, 'faithfulness': 0.3846, 'answer_relevancy': 0.9352, 'context_recall': 0.7500, 'context_entity_recall': 0.8750, 'answer_similarity': 0.9111, 'summary_score': -0.0195}

In [None]:
df_metrics = results.to_pandas()
df_metrics.head()

Unnamed: 0,question,ground_truth,answer,contexts,summary,context_precision,faithfulness,answer_relevancy,context_recall,context_entity_recall,answer_similarity,summary_score
0,What are SunBird-specific functionality?,SunBird attempts to upload all data it has acc...,SunBird is a malicious Android spyware that ...,"[Locally on the infected device, the data is\n...",SunBird is a malicious Android spyware that ...,1.0,0.384615,0.935247,0.75,0.875,0.911144,0.0195


# RESULTS ANALYSIS

In [2]:
from google.colab import drive
drive.mount('/content/drive')

import pandas as pd

Mounted at /content/drive


In [3]:
onto_answer_evaluations = pd.read_csv(PATH +"Results/cyber_onto_answer_evaluations.csv", skiprows=2)
onto_answer_evaluations.drop(columns=['Unnamed: 0'], inplace=True)
onto_answer_evaluations

Unnamed: 0,question,ground_truth,answer,contexts,summary,context_precision,faithfulness,answer_relevancy,context_recall,context_entity_recall,answer_similarity,summary_score
0,What is signature detection used for in antivi...,Signature detection is used in antivirus softw...,Antivirus software uses signature detection t...,['Antivirus software uses either signature or ...,Antivirus software uses signature detection t...,1.0,0.333333,0.944766,1.0,0.25,0.920823,0.425234
1,Which sectors and organizations did RedJuliett...,"RedJuliett targeted the technology industry, i...","Organizations in Hong Kong, Malaysia, Laos, So...",['CYBER\n \nTHREAT\n \nANALYSIS\nRedJuliett\n ...,"Organizations in Hong Kong, Malaysia, Laos, So...",1.0,0.0,0.914873,1.0,0.125,0.678549,0.5
2,How do pro-government groups use Trojanized ap...,Pro-government groups use Trojanized apps on F...,Remote Access Trojans (RATs) are a type of m...,['29\nTLP: Green TLP: Green For any inquire pl...,Remote Access Trojans (RATs) are a type of m...,1.0,0.0,0.972375,1.0,0.2,0.955619,0.397904
3,What are RemoteAccessTrojan-RAT? What types of...,"Remote Access Trojans, are a type of malware t...",Remote Access Trojan (RAT) is a type of malwar...,33 TLP: Green TLP: Green For any inquire pleas...,Remote Access Trojan (RAT) is a type of malwar...,1.0,1.0,0.891759,0.8,0.083333,0.921999,0.479586
4,What are threat actors? How do they exploit Sk...,"Threat Actors are actual individuals, groups, ...","Threat actors are individuals, groups, or or...",['Skype messages\nMessages sent via Skype offe...,"Threat actors are individuals, groups, or or...",1.0,0.647059,0.958455,0.666667,0.6,0.960561,0.354268
5,What types of RATs did Kaspersky Lab detect in...,Kaspersky Lab detected the following types of ...,The most popular RATs detected by Kaspersky L...,['Some of the most popular RATs are detected b...,The most popular RATs detected by Kaspersky L...,1.0,1.0,0.966252,1.0,0.375,0.956029,0.761321
6,What is a caimpaign? Which is the country with...,A campaign is a grouping of adversarial behavi...,A campaign is a series of coordinated actions...,['6/1/2020 Russian Cyber Attack Campaigns and ...,A campaign is a series of coordinated actions...,1.0,0.571429,0.860158,0.75,0.142857,0.954277,0.669046
7,What are SunBird-specific functionality?\nThes...,SunBird attempts to upload all data it has acc...,SunBird is a malicious Android spyware that ...,"['Locally on the infected device, the data is\...",SunBird is a malicious Android spyware that ...,1.0,0.384615,0.935247,0.75,0.875,0.911144,0.0195
8,What are the challenges that a defender deal w...,Defenders face several challenges due to the c...,The challenges that a defender deals with due...,['Part II: \nThe defender landscapeSecurity Ch...,The challenges that a defender deals with due...,1.0,1.0,0.991193,0.5,0.230769,0.972349,0.608546
9,Describe the Permanent Denial of Service attac...,Permanent denial of service (PDoS) attacks are...,The Permanent Denial of Service attack (PDoS)...,['40Cisco 2017 Midyear Cybersecurity Report\nA...,The Permanent Denial of Service attack (PDoS)...,1.0,0.588235,0.944719,1.0,0.076923,0.911857,0.371425


In [None]:
numeric_columns = onto_answer_evaluations.select_dtypes(include=['number'])
column_means = numeric_columns.mean()

print(column_means)


context_precision        1.000000
faithfulness             0.548191
answer_relevancy         0.927617
context_recall           0.830952
context_entity_recall    0.310555
answer_similarity        0.928902
summary_score            0.484746
dtype: float64


In [None]:
column_std = numeric_columns.std()

print(column_std)

context_precision        0.000000
faithfulness             0.330634
answer_relevancy         0.056803
context_recall           0.193578
context_entity_recall    0.253466
answer_similarity        0.075490
summary_score            0.189447
dtype: float64


In [9]:
pd.set_option('display.max_colwidth', None)

In [8]:
onto_answer_evaluations.question

Unnamed: 0,question
0,What is signature detection used for in antivirus software?\nThese concepts might be useful to answer the question: \n- RogueSecuritySoftware\n- Malware\n- Vulnerability\n- Software\n- Application\n- Browser\n- OperatingSystem\n- VirusScanner\n- System\n- GeneralVirus\n- VirusScanner\n
1,Which sectors and organizations did RedJuliett target in their cyber attacks in and outside Taiwan?\nThese concepts might be useful to answer the question: \n- Organization\n- Country\n- Location\n
2,"How do pro-government groups use Trojanized apps on Facebook to infect users, and what techniques do they use for delivery?\nThese concepts might be useful to answer the question: \n- RemoteAccessTrojan-RAT\n- Malware\n- Vulnerability\n- Trojan\n- Application\n- Software\n- System\n- RemoteAccessTrojan-RAT\n- Phishing\n- Infrastructure\n"
3,What are RemoteAccessTrojan-RAT? What types of RATs did Kaspersky Lab detect in MENA in 2013-2014?\nThese concepts might be useful to answer the question: \n- RemoteAccessTrojan-RAT\n- Malware\n- Vulnerability\n
4,What are threat actors? How do they exploit Skype messages?\nThese concepts might be useful to answer the question: \n- ThreatActor\n- Malware\n- Vulnerability\n- File\n- Indicator\n- Filepath\n
5,What types of RATs did Kaspersky Lab detect in MENA in 2013-2014?\nThese concepts might be useful to answer the question: \n- RemoteAccessTrojan-RAT\n- Malware\n- Vulnerability\n
6,What is a caimpaign? Which is the country with some of the most notorious actors in cyber attack campaigns? Why?\nThese concepts might be useful to answer the question: \n- Campaign\n- Vulnerability\n- Country\n- Location\n- AttackPattern\n- AttackPattern_LargeDescription\n- AttackPattern_SmallDescription\n- AttackPattern_LargeDescription\n- AttackPattern_SmallDescription\n- ThreatActor\n- Malware\n
7,What are SunBird-specific functionality?\nThese concepts might be useful to answer the question: \n- HostingMalware\n- Infrastructure\n- Malware\n- Vulnerability\n- Adware\n- Backdoor\n- Bootkit\n- Bot\n- DDoS\n- Downloader\n- Dropper\n- Exploit-kit\n- GeneralVirus\n- Keylogger\n- Ransomware\n- RemoteAccessTrojan-RAT\n- RogueSecuritySoftware\n- Rootkit\n- Spyware\n- Trojan\n- Webshell\n- ResourceExploitation\n- ScreenCapture\n- Unknown\n- Wiper\n- Worm\n- MalwareAnalysis\n- MalwareFamily\n
8,What are the challenges that a defender deal with due to the complexity of vendors landscape?\nThese concepts might be useful to answer the question: \n
9,Describe the Permanent Denial of Service attack (PDoS).\nThese concepts might be useful to answer the question: \n- DenialOfService\n- ExcessForks\n- MemoryConsumption\n- NetFlood\n- PingOfDeath\n- SysCrash\n- Consequence\n- MeansOrConsequence\n


In [None]:
onto_answer_evaluations.contexts

Unnamed: 0,contexts
0,"['Antivirus software uses either signature or heuristic-based detection to identify malware. On the \none hand, signature detection searches for a unique sequence of bytes that is specific to a piece of malicious code']"
1,"['CYBER\n \nTHREAT\n \nANALYSIS\nRedJuliett\n \ncompromised\n \ngovernment\n \norganizations\n \nin\n \nTaiwan,\n \nLaos,\n \nKenya,\n \nand\n \nRwanda.\n \nThe\n \ngroup\n \nalso\n \ntargeted\n \nthe\n \ntechnology\n \nindustry\n \nin\n \nTaiwan,\n \nincluding\n \nan\n \noptoelectronics\n \ncompany,\n \na\n \nlarge\n \nTaiwanese\n \nfacial\n \nrecognition\n \ncompany\n \nthat\n \nhas\n \nheld\n \ncontracts\n \nwith\n \nthe\n \nTaiwanese\n \ngovernment,\n \nand\n \nfour\n \nsoftware\n \ncompanies.\n \nMultiple\n \nuniversities\n \nwere\n \nalso\n \ncompromised,\n \nincluding\n \nthree\n \nTaiwanese\n \nuniversities,\n \nan\n \nAmerican\n \nuniversity,\n \nand\n \na\n \nDjiboutian\n \nuniversity.\n \nThe\n \ngroup\n \nalso\n \ntargeted\n \nreligious\n \norganizations\n \nin\n \nTaiwan,\n \nHong\n \nKong,\n \nand\n \nSouth\n \nKorea.\n \nAdditionally,\n \nRedJuliett\n \ncompromised\n \na\n \ngeological\n \nengineering\n \ncompany\n \nin\n \nHong\n \nKong,\n \na\n \nTaiwanese\n \nwaste\n \nand\n \npollution\n \ntreatment\n \ncompany,\n \nand\n \na\n \nTaiwanese\n \npublishing\n \nhouse.\nFigure\n \n3\x00\n \nSuspected\n \nRedJuliett\n \nvictims\n \nby\n \nsector\n \n\x00Source:\n \nRecorded\n \nFuture)\nRedJuliett\n \nTargets\n \nInternet-Facing\n \nWeb\n \nServers\n \nand\n \nAppliances\nUsing\n \nRecorded\n \nFuture®\n \nNetwork\n \nIntelligence\n,\n \nInsikt\n \nGroup\n \nobserved\n \nRedJuliett\n \nusing\n \ndedicated\n \nthreat\n \nactor-controlled\n \nSoftEther\n \nVPN\n \nservers\n \nto\n \nconduct\n \nreconnaissance\n \nand\n \nattempted\n \nexploitation\n \nactivity\n \ntargeting\n \na\n \nwide\n \nrange\n \nof\n \npredominantly\n \nTaiwanese\n \norganizations\n \nfrom\n \nNovember\n \n2023\n \nto\n \nApril\n \n2024.\n \nIn\n \naddition\n \nto\n \nacting\n \nas\n \nSoftEther\n \nVPN\n \nnodes,\n \nmultiple\n \nRedJuliett\n \nIP\n \naddresses\n \nhave\n \nbeen\n \nconcurrently\n \nconfigured\n \nas\n \nAcunetix\n \nWeb\n \nApplication\n \nSecurity\n \nScanners.\n \nInsikt\n \nGroup\n \nhas\n \nregularly\n \nobserved\n \nvulnerability\n \nscanning\n \nand\n \nexploitation\n \nactivity\n \nfrom\n \nthese\n \nservers\n \ntargeting\n \nweb\n \nservers\n \nassociated\n \n6\n \n \nC T A \x00 C N \x00 2 0 2 4 \x00 0 6 2 4\n \n \nR e c o r d e d\n \nF u t u r e\n®\n \n|\n \nw w w . r e c o r d e d f u t u r e . c o m']"
2,"['29\nTLP: Green TLP: Green For any inquire please contact intelreports@kaspersky.com For any inquire please contact intelreports@kaspersky.com\nBelow are snapshots taken from videos published by the attackers, showing their RAT control panel \nand list of victims. This shows some of the victims located in different countries.\nThe sample details and domain lists used by the attackers can be found in Appendices 1 and 2 in the \nend of this document.\n3.2.11. Activist Behavior\nIt is worth noting that we have seen evidence of activists trying to carry out Denial of Service attacks on the RAT domains and servers, in an effort to overwhelm their resources and cause their connections to timeout.\nThe post below shows a warning from activists about pro-government hacker attacks on Facebook \npages, explaining how pro-government groups post links to Trojanized applications in order to infect users The activists announce in the post that they have spotted a C&C domain used by the Trojans and that they are attacking it to remove all hacked victims.6\nTLP: Green For any inquire please contact intelreports@kaspersky.com\n3. Analysis\n3.1. Infection Vectors\nMalware writers are using multiple techniques to deliver their files and entice the victims to run them, \ncreating an effective infection vector. Mainly depending on social engineering the attackers exploit:•\nVictims’ trust in social networking forums\n•Victims’ curiosity in following news related to political conflict in Syria\n•Victims’ fear of attacks from government\n•Victims’ lack of technology awareness\nOnce they have infected the victim’s computer, attackers have full access and control over victim’s devices. In the following section we show different versions of posts sent via popular file sharing sites or social networking platforms. The sample details and domain lists used by the attackers can be found in the Appendices 1 and 2 in the end of the document.\n3.1.1. Skype messages\nMessages sent via Skype offer links to download:1.\nThe “SSH VPN” program to encrypt communication\n2.The popular and effective antivirus with daily updates from “Ammazon Internet Security”\n3.The “SmartFirewall” to block connections made by malware and bad programs\nThe messages are usually sent from fake or compromised accounts.5\nTLP: Green TLP: Green For any inquire please contact intelreports@kaspersky.com For any inquire please contact intelreports@kaspersky.com\n2. Introduction\nThe geopolitical conflicts in the Middle East have deepened in the last few years; Syria is no \nexception. The crisis is taking many forms, and the cyberspace conflict is intensifying as sides try to tilt the struggle, by exploiting cyber intelligence and exercising distortion.\nIn the last few years cyber-attacks in Syria have moved into the front line; many activities in \ncyberspace have been linked to Syria, especially those conducted by the Syrian Electronic Army and pro-government groups.\nThe Global Research and Analysis Team (GReAT) at Kaspersky Lab has found new malware attacks \nin Syria, using new but not advanced techniques to hide and operate malware, in addition to using proficient social engineering tricks to deliver malware by tricking and tempting victims into opening and exploring malicious files. The malware files have been found on hacked activist sites, web pages and in social networking forums.\nCyber Arabs, an Arabic-language digital security project of the IWPR (Institute for War and Peace \nReporting), reported four of these samples in March 2014. The same samples were also reported on Syrian Facebook pages (تقنيون لأجل الحريةTechnicians For Freedom): https://www.facebook.com/tech4freedom\nGiven the complexity of the situation, there are many factors and entities at play in this event, but \nfrom the outside these are all largely speculative. Pro-government groups talk about “defense” and opposition activists talk about “offense”. Here, we will only focus on the malware and the facts that have been found during the analysis, presenting only relevant information, in the hope of setting a clear context for this researchTLP: Green For any inquire please contact intelreports@kaspersky.comContents\n1. Executive Summary 2\n2. Introduction 53. Analysis 6 3.1. Infection Vectors 6 3.1.1. Skype messages 6 3.1.2. Facebook posts 7 3.1.3. YouTube Videos 8 3.2. Samples and types of files 9\n 3.2.1. The National Security Program 9\n 3.2.2. Files named “Scandals” are quite attractive 14 \n 3.2.3. “Ammazon Internet Security” the “popular Antivirus” 16\n 3.2.4. You’ve installed the latest antivirus solution, now let’s “protect your network” 19\n 3.2.5. Whatsapp and Viber for PC: Instant messaging, instant infection 20\n 3.2.6. Beware of chemical attacks 22 3.2.7. Commands and functionality 23 3.2.8. Evolution of malware attack file numbers 25\n 3.2.9. Locations, domains and team 26\n 3.2.10. Victims 28\n 3.2.11. Activist Behavior 30\n 3.3. Attribution 324. Kaspersky Lab MENA RAT Statistics 345. Conclusion 37Appendix 1: Samples 38Appendix 2: C&C Domains 47\nTLP: Green For any inquire please contact intelreports@kaspersky.com14\nTLP: Green For any inquire please contact intelreports@kaspersky.com\nThe presence of DarkComet’s “DC_MUTEX-*” was a giveaway of the usage of this remote \nadministration tool.\nDuring infection, the Excel spreadsheet is displayed, comprising 96763 rows and 13 columns of \nactivist information. The rows correspond to records of individuals wanted by the government and the columns correspond to information about the individuals. While there is no column description, data in each column reflects the type of data.\n3.2.2. Files named “Scandals” are quite attractive \n Using shockingly disturbing videos to distribute malware\nA disturbing video showing injured victims of recent bombings was used to appeal to people’s fear \nand exert them to download a malicious application available in a public file-sharing website. After our initial analysis, the file named “فضائحexe” proved to be heavily obfuscated with the commercial \nutility “MaxToCode” for .NET as a means of avoiding early detection by antivirus solutions.\nWhen executed, the original sample created another executable file in the Windows’ temporary \nfolder (C:\\Users\\[USERNAME]\\AppData\\Local\\Temp) named “Trojan.exe”, which corresponds to the code of the RAT itself. This is used to save all keystrokes and system activity to another file in the same location, “Trojan.exe.tmp”.7Incident Response Report 2024\nWho’s Doing It?\nIn 2023, by far the most damaging threat actor was a group we call \nMuddled Libra. They’re a criminal group focused on /uniFB01nancial gain. They are also one of the most aggressive threat actors in the landscape today. Countering their attacks is a challenge for defenders of small and large organizations alike. This report has a special section on them, including an analysis of what they do and how you can defend against them. \nOf course, they weren’t the only group in the mix. We also responded to \ncompromises from other criminal groups, state-aligned actors, and some groups that we don’t know enough about yet to characterize.\nAnswering this question of “who” is one of the things that Unit 42 Threat \nIntelligence is great at. We’ll keep researching and uncovering attackers wherever they try to hide. \nHow Do Threat Actors Get In?\nIn the past year, attackers’ initial access most often started with a software vulnerability. The largest attack campaigns began with successful exploitation of internet-facing systems. From there, the stories varied. \nNaturally, we also saw other techniques, from attackers using previously \nstolen credentials, phishing (both in email and chat), and more. \nBut don’t be misled–though phishing lost the top spot and dropped to \nnumber three, it’s still a serious threat. Attackers leverage phishing attacks for access, credentials, and tokens, rather than trying to drop malware. \nWhat Helped Threat Actors Succeed?\nThere were three security weaknesses that weren’t themselves the cause of incidents, but made attackers’ lives easier. Address these, and you’ll be helping yourself and hurting them.\n• Patch management. It’s only a matter of time. Unpatched \nvulnerabilities on internet-facing systems will be exploited. Measure and \nreduce your attack surface, and you’ll improve this.\n• Consistent coverage. Our incident responders found that \norganizations with partial or incomplete deployment of security controls (especially endpoint detection and response tools) allowed attackers to operate from parts of the network that weren’t defended. Deploy your defenses everywhere, and you’ll deny them this advantage.\n• Identity and access management. More attackers are stealing and \nusing the identity of authorized personnel to access and move around networks. Make that harder and embark on or continue a journey toward Zero Trust networking, and you’ll pressure attackers into making mistakes you can see.Actors, Methods and Targets\nSubscribe NowListen to Unit 42’s\nWhere we share unique \nthreat intelligence insights, \nnew threat actor TTPs,\nand real-world case studies']"
3,"['5\nTLP: Green TLP: Green For any inquire please contact intelreports@kaspersky.com For any inquire please contact intelreports@kaspersky.com\n2. Introduction\nThe geopolitical conflicts in the Middle East have deepened in the last few years; Syria is no \nexception. The crisis is taking many forms, and the cyberspace conflict is intensifying as sides try to tilt the struggle, by exploiting cyber intelligence and exercising distortion.\nIn the last few years cyber-attacks in Syria have moved into the front line; many activities in \ncyberspace have been linked to Syria, especially those conducted by the Syrian Electronic Army and pro-government groups.\nThe Global Research and Analysis Team (GReAT) at Kaspersky Lab has found new malware attacks \nin Syria, using new but not advanced techniques to hide and operate malware, in addition to using proficient social engineering tricks to deliver malware by tricking and tempting victims into opening and exploring malicious files. The malware files have been found on hacked activist sites, web pages and in social networking forums.\nCyber Arabs, an Arabic-language digital security project of the IWPR (Institute for War and Peace \nReporting), reported four of these samples in March 2014. The same samples were also reported on Syrian Facebook pages (تقنيون لأجل الحريةTechnicians For Freedom): https://www.facebook.com/tech4freedom\nGiven the complexity of the situation, there are many factors and entities at play in this event, but \nfrom the outside these are all largely speculative. Pro-government groups talk about “defense” and opposition activists talk about “offense”. Here, we will only focus on the malware and the facts that have been found during the analysis, presenting only relevant information, in the hope of setting a clear context for this research6/1/2020 Russian Cyber Attack Campaigns and Actors - Threat Research\nhttps://ironnet.com/blog/russian-cyber -attack-campaigns-and-actors/ 1/9May 29, 2020Russian Cyber Attack Campaigns and Actors\nironnet.com /blog/russian-cyber-attack-campaigns-and-actors\nSome of the most notorious actors in the cyber threat landscape have been traced back to\nsponsorship by the Russian state. As the digital revolution has accelerated, so, too, has the\nRussian cyber attack landscape — hold-over Cold War tactics that evolved to take advantage of\nnew electronic methods of communication.\nStrategic Russian interests are guided by the desires for Russia to be recognized as a great\npower, to protect the Russian identity, and to limit global United States power.\xa0 These themes are\nevident in components commonly associated with Russian-backed cyber threat campaigns:\nThe weaponization of information through disinformation campaigns and propaganda\nAttempted interference in democratic processes\nStrategic positioning within critical infrastructure, perhaps as preparation for potential\nescalation of hostilities with rival nations.\nTo summarize the threat at a more tactical level, we have scoured cybersecurity reporting in order\nto prepare an overview of cyber threat actors observed more recently, and to which evidence-\nbased analysis has assigned the likelihood of Russian state-sponsorship as probable. Each actor\nis presented with highlights of more notable campaign activity, with notations on countries and\nsectors targeted, as well as a mention of behaviors or tactics, techniques, and procedures (TTPs)\nutilized in order to enable actions on objectives. Footnotes provide links to further, more detailed,\nreading6/1/2020 Russian Cyber Attack Campaigns and Actors - Threat Research\nhttps://ironnet.com/blog/russian-cyber -attack-campaigns-and-actors/ 9/9states, sectors, supply chains, companies of all sizes — and even entire nations —\xa0 to work\ncollaboratively for stronger cyber defense against Russian and other nation-state level\nadversaries31\nTLP: Green TLP: Green For any inquire please contact intelreports@kaspersky.com For any inquire please contact intelreports@kaspersky.com\n3.3. Attribution\nTeam and positions\nFrom many posts, forums and identification videos, it is clear that the group has an organized \nstructure of teams working together, The names and positions outlined below were collected from posts on infiltrated forums or pages. They are all either nicknames or incomplete names that do not enable full identification of the attackers.\nThe Resistant Syrian Electronic Army\n• Group 1: Team Hacker and Assad Penetrations Unit\n• Group 2: Anonymous Syria Al Assad Unit\n• Group 3: Management of Electronic Monitoring and Central Tracking Unit\nGroup1: Team Hacker and Assad Penetrations Unit\nName Position\nShady Head of Assad Hacker team\nFadi Responsible for raids\nSarmad Responsible for operations in raids unit \nMahmoud Assistant to the head of management unit\nGirl nickname Fidaeya (redemptionist) Member of support and publishing team\nNajma Member of media and publishing team6/1/2020 Russian Cyber Attack Campaigns and Actors - Threat Research\nhttps://ironnet.com/blog/russian-cyber -attack-campaigns-and-actors/ 4/9defended companies and subcontractors within the energy sector have been targeted — likely as\na means for the actor, in turn, to target regional and national-level energy companies and power\nsuppliers.\nKnown\nTar‐\ngetsEnergy , Aviation, Pharmaceutical, Defense, Petrochemical sectors in the\nUnited States and Europe\nSam‐\nple\nTTPsCompromise legitimate industrial control systems vendor sites and\nplant trojanized versions of ICS-related software and applications on\nthose sites\nSpearphishing emails with PDF attachments embedded with Adobe\nFlash exploits\nAlso\nKnown\nAsDragonﬂy , Crouching Y eti, Havex, Koala, Iron Liberty\nDYMALLOY\nSome researchers attribute the activities of this group to an evolution of Energetic Bear activity\n(referring to earlier activity as Dragonﬂy and later activity as Dragonﬂy 2.0); however, Dragos\nasserts that there are enough technical differences to justify tracking this as a separate group.\nThis group avoids using custom malware, opting for commodity malware families that hinder\nattempts at applying attribution. Crowdstrike reports that this group has strong ties to Moscow, as\ntargeting aligns closely with likely collection priorities of Russian intelligence.\nKnown T argets Industrial Control Systems in T urkey , Europe, and the United States\nSample TTPs Use of commodity malware such as Goodor , DorShel, and Karagany\nAlso Known\nAsDragonﬂy 2.0, Berserk Bear\nAPT29\nThis group has operated since at least 2008, collecting intelligence in support of foreign and\nsecurity policy decision-making. The primary targets are Western governments and related\norganizations, but intrusion attempts have been witnessed across a broad spectrum of sectors.\nNotable compromises include the intrusion into the Democratic National Committee in 2015 and\n2016, and intrusions into unclassiﬁed networks of a variety of U.S. government departments.\nKnown\nTar‐\ngetsWestern governments and related organizations, as well as W estern Europe,\nBrazil, China, Japan, Mexico, New Zealand, South Korea, T urkey , and Cen‐\ntral Asian countries.6/1/2020 Russian Cyber Attack Campaigns and Actors - Threat Research\nhttps://ironnet.com/blog/russian-cyber -attack-campaigns-and-actors/ 7/9systems, collecting as much information as possible, before making a determination as to\nwhether the target is of interest for further operations. One of the techniques utilized includes\nattempting to lure visitors of compromised websites to download fake Adobe Flash updates, an\napproach utilized by cyber criminals across the globe.\nKnown\nTargetsGovernment, Aerospace, NGOs, Defense, Cryptology , and Education sec‐\ntors in more than 45 dif ferent countries throughout the world\nSample\nTTPsExtensive use of covert exﬁltration tactics such as using hijacked\nsatellite connections and covert channel backdoors\nWaterholing government websites\nInfecting removable storage devices\nIn-house complex malware development\nAlso\nKnown\nAsSnake, V enomous Bear , Waterbug, Uroburos\nXENOTIME\nThis group has been identiﬁed as the most dangerous threat actor publicly known, due to its\nassociation with malware known as TRITON, designed to target a speciﬁc safety instrumented\nsystem (SIS) within industrial control systems. SIS are hardware and software controls used to\nimplement safe states in order to avoid adverse safety, health, and environmental consequences,\nand, as such, targeting of these systems could lead to loss of life scenarios. TRITON was\ndiscovered at a petrochemical plant in Saudi Arabia when the attacker was believed to have\ninadvertently shut down plant operations after gaining access to a SIS engineering workstation to\ndeploy the attack framework. Because TRITON malware samples are now easily discoverable\nonline, the bar has effectively been lowered for other threat actors to enter the ICS arena.\nKnown\nTar‐\ngetsOil, gas, and electric sectors in the Middle East, North America, Europe, and\nAPAC\nSam‐\nple\nTTPsCapability to gain access to hardware and software not widely avail‐\nable, in order to reverse engineer proprietary protocols and identify pre‐\nviously unknown vulnerabilities for exploitation\nPerimeter VPN compromise for initial access to target network\nAlso\nKnown\nAsTEMP .Veles\nGamaredon Group\nThis group notably conducts espionage and intelligence gathering via Russian cyber attack\nstrategies in support of Russian national interests, and seems to primarily focus efforts on\nUkrainian national security targets. Cybersecurity researchers have pointed out that this group’s']"
4,"['Skype messages\nMessages sent via Skype offer links to download:1.\nThe “SSH VPN” program to encrypt communication\n2.The popular and effective antivirus with daily updates from “Ammazon Internet Security”\n3.The “SmartFirewall” to block connections made by malware and bad programs\nThe messages are usually sent from fake or compromised accounts.Threat Actor\n\nThreat Actors are actual individuals, groups, or organizations believed to be operating with malicious intent. A Threat Actor is not an Intrusion Set but may support or be affiliated with various Intrusion Sets, groups, or organizations over time.\n\n\nType - Person, Organization, Group\nAdded - 06/2021\nIt is a weakness or defect in the requirements, designs, or implementations of the computational logic (e.g., code) found in software and some hardware components (e.g., firmware) that can be directly exploited to negatively impact the confidentiality, integrity, or availability of that system. ( ref: STIX 2.1)\n\n- Adapted from STIX 2.1\n- Added 06/2021\n- MalONT v2.0']"
5,"['Some of the most popular RATs are detected by Kaspersky products as following:\n• Trojan.MSIL.Zapchast, also known as Njrat\n• Backdoor.Win32.Bifrose, also known as Bitfrose\n• Backdoor.Win32Kaspersky Lab MENA RAT Statistics\nRemote Administration Tool (RAT) Trojans are malicious programs that allow a remote “operator” to \ncontrol a system as if he has physical access to that systemcom\nBased on KSN world statistics, the MENA region has one of the highest numbers for RAT attacks, as \nshown below:\nCountry Number of users\nAlgeria 39113\nIndia 35024\nFrance 10955\nSaudi Arabia 9616\nMexico 6862\nIraq 6756\nTurkey 6321\nEgypt 5567\nRussian Federation 5526\nMalaysia 5014\n• Algeria has the highest number of users facing NjRat infection for the 2013-2014 period and five countries from MENA are in the NjRat top 10\n• Algeria has the highest number of users facing Xtreme RAT infection for the 2013-2014 period and four countries from MENA are in the Xtreme RAT top 10com\nAmong the most popular RAT found in the samples subset is Dark Comet, a free remote \nadministration tool that provides a comprehensive command set for the attackers to use in their malicious purposesXtreme, also known as Xtremrat\nThe statistics below, extracted from the Kaspersky Security Network (KSN), show the number of RAT infection attacks blocked by Kaspersky Lab products in the MENA (Middle East North Africa) region in the 2013-2014 period:\nCountry/Detection Zapchast Bitfrose Fynloski XtremeRAT Total\nAlgeria 39113 12071 11643 7106 69900+\nTurkey 6326 3325 14002 3586 27200+\nKSA 9616 5555 5336 4516 25000+\nEgypt 5567 5883 4325 2634 18400+\nIraq 6756 2280 3235 3055 15300+\nUAE 3594 1165 9244 745 14700+\nMorocco 4084 2710 3104 1233 11100+\nLebanon 426 297 8073 136 8900+\nTunisia 2844 1888 1495 1004 7200+\nSyria 2806 1897 1362 544 6600+\nQatar 1332 327 2177 233 4000+\nJordan 1259 680 1104 414 3400+\nOman 1241 446 915 374 2900+\nBahrain 1218 178 1214 254 2800+\nKuwait 454 407 922 345 2100+Malicious RATs are widely used by different types of cybercriminals (hacktivists, script-kiddies, and scammers) and even in some state-sponsored attacksAnother RAT widely used in the Arab world is NjRAT, which includes a list of commands (see \nbelow) that can be sent from the controller to the infected system.\nDarkComet Control panel & Functionalitycom\nBelow are snapshots taken from videos published by the attackers, showing their RAT control panel \nand list of victims. This shows some of the victims located in different countriesKnown\nTargetsUkrainian ﬁnancial sector\nSample\nTTPsSpearphishing with Microsoft Excel attachments containing malicious\nmacros\nHiding malicious network activity by abusing legitimate services to host\npayloads or provide communication mediums for attackers\nDeployingredundant backdoors within a network\nDisguising malware backdoors by providing them with names resem‐\nbling A V-related services\nAlso\nKnown\nAsSandworm T eam\nEnergetic Bear\nThis group is assessed as the creator of the Havex RAT, which is one of ﬁve known ICS tailored\nmalware familiesWhile silently executing a remote administration tool when launching this “security suite”, targeted victims were left without their “Ammazon” protection but witha RAT installedSamples\tand\ttypes\tof\tfiles\nAnalysis has led us to identify the following RAT variants being used in the wild:\n• ShadowTech RAT\n• Xtreme RAT\n• NjRAT\n• Bitcomet RAT\n• Dark Comet RAT\n• BlackShades RAT\nThe samples collected during our research can be classified as follows']"
6,"['6/1/2020 Russian Cyber Attack Campaigns and Actors - Threat Research\nhttps://ironnet.com/blog/russian-cyber -attack-campaigns-and-actors/ 1/9May 29, 2020Russian Cyber Attack Campaigns and Actors\nironnet.com /blog/russian-cyber-attack-campaigns-and-actors\nSome of the most notorious actors in the cyber threat landscape have been traced back to\nsponsorship by the Russian state. As the digital revolution has accelerated, so, too, has the\nRussian cyber attack landscape — hold-over Cold War tactics that evolved to take advantage of\nnew electronic methods of communication.\nStrategic Russian interests are guided by the desires for Russia to be recognized as a great\npower, to protect the Russian identity, and to limit global United States power.\xa0 These themes are\nevident in components commonly associated with Russian-backed cyber threat campaigns:\nThe weaponization of information through disinformation campaigns and propaganda\nAttempted interference in democratic processes\nStrategic positioning within critical infrastructure, perhaps as preparation for potential\nescalation of hostilities with rival nations.\nTo summarize the threat at a more tactical level, we have scoured cybersecurity reporting in order\nto prepare an overview of cyber threat actors observed more recently, and to which evidence-\nbased analysis has assigned the likelihood of Russian state-sponsorship as probable']"
7,"['Locally on the infected device, the data is\ncollected in SQLite databases which are then compressed into ZIP files as they\nare uploaded to C2 infrastructure.\n\nSunBird can exfiltrate the following list of data, in addition to the list\nabove:\n\n * List of installed applications\n * Browser history\n * Calendar information\n * BlackBerry Messenger (BBM) audio files, documents and images\n * WhatsApp Audio files, documents, databases, voice notes and images\n * Content sent and received via IMO instant messaging application\n\nIn addition to the list of actions above, SunBird can also perform the\nfollowing actions:\n\n * Download attacker specified content from FTP shares\n * Run arbitrary commands as root, if possible\n * Scrape BBM messages and contacts via accessibility services\n * Scrape BBM notifications via accessibility services\n\n\u200d\n\n _Samples of SunBird have been found hosted on third-party app stores,\nindicating one possible distribution mechanism']"
8,"['Part II: \nThe defender landscapeSecurity Challenges \nand Opportunities \nfor DefendersThe economic reality for service providers is that unless \nprovided as a managed service, security is a cost center, \nnot a profit center, and therefore needs to be kept lean—but \nthe pressures of competition and the threat landscape have \nforced an increased focus on security.\nService provider scale creates challenges\nAs in every industry, the proliferation of security vendors and \ntools is a problem, because solutions are often not integrated \nand don’t provide an actionable view of the threats facing the \nprovider. In the service provider space, this problem is magnified \nby the scale of the market. Two-thirds of service provider \nsecurity professionals said they rely on six or more vendors; \n38 percent said they rely on more than 10 vendors (Figure 60).\nWhen asked about products in use, 70 percent said they \nuse at least 6 security products, and half use more than 10 \nproducts. In many cases, say Cisco experts in this market, \nthere isn’t much integration among products, which means \nthey experience an exponential increase in complexity for \neach incremental gain in security.\nSource: Cisco 2017 Security Capabilities Benchmark StudyTwo-thirds of service providers use \n6+ vendors, with 38% using more than 1070% use 6+ products, with half \nusing more than 10\n38%66%Service\nProvidersProducts\n70%\n50%6+ \n10+ 6+ \n10+ \nVendorsService\nProvidersFigure 60 Percentage of service providers that use solutions from 6 or more vendors and productsDownload the 2017 graphics at: cisco.com/go/mcr2017graphics']"
9,"['40Cisco 2017 Midyear Cybersecurity Report\nAttacker BehaviorBrickerBot\n27 For more on this topic, see “BrickerBot PDoS Attack: Back With A Vengeance,” Radware, April 21, 2017: \nsecurity.radware.com/ddos-threats-attacks/brickerbot-pdos-back-with-vengeance/ . \n28 For more on this topic, see “Hajime – Sophisticated, Flexible, Thoughtfully Designed and Future-Proof,” by Pascal Geenens, Radware, April 26, 2017: \nblog.radware.com/security/2017/04/hajime-futureproof-botnet/ .Permanent denial of service (PDoS) attacks are fast-moving \nbot attacks designed to stop device hardware from functioning. \nThis form of cyber attack is becoming increasingly popular.27\nKnown as “phlashing” in some circles, PDoS attacks damage \nsystems so severely that the hardware must be reinstalled or \nreplaced. By exploiting security flaws or misconfigurations, PDoS \nattacks can destroy the firmware and basic system functions.\nBrickerBot can:\n •Compromise devices: BrickerBot’s PDoS attacks use \nTelnet brute force—the same exploit vector used by Mirai—\nto breach users’ devices.\n •Corrupt devices: Once it successfully accesses a \ndevice, BrickerBot performs a series of Linux commands \nthat ultimately lead to corrupted storage. It then issues \ncommands to disrupt Internet connectivity and device \nperformance, wiping all files on the device.\nFigure 33 shows the exact sequence of commands the \nBrickerBot performs.\nHajime\nHajime is intriguing, and threat intelligence researchers \nmonitor it very closely']"


In [None]:
onto_answer_evaluations.ground_truth

Unnamed: 0,ground_truth
0,Signature detection is used in antivirus software to search for a unique sequence of bytes that is specific to a piece of malicious code.
1,"RedJuliett targeted the technology industry, including organizations in critical technology fields, semiconductor companies, Taiwanese aerospace companies, electronics manufacturers, universities focused on technology, an industrial embedded systems company, a technology-focused research and development institute, and computing industry associations. They also targeted organizations involved in Taiwan's economic and trade policy, including de facto embassies, government departments, think tanks, and a trade promotion organization. Additionally, RedJuliett targeted civil society, including media organizations, a charity, and an NGO focused on human rights. Outside of Taiwan, they targeted government organizations in the Philippines, a government department in Djibouti, and a Malaysian airline."
2,"Pro-government groups use Trojanized apps on Facebook to infect users by posting links to these apps. They use social engineering techniques to entice users to download and run these apps, such as offering programs for encryption, antivirus protection, and firewall blocking. They also send messages via Skype and share posts on Facebook with links to download these apps. These apps contain Remote Administration Tool (RAT) Trojans, which allow the attackers to control the infected system remotely. The attackers use various RAT variants, including ShadowTech RAT, Xtreme RAT, NjRAT, Bitcomet RAT, Dark Comet RAT, and BlackShades RAT. The attackers continuously evolve their techniques and use different delivery options, such as hiding malicious files in "".scr"" containers to avoid detection by security solutions."
3,"Threat actors are actual individuals, groups, or organizations believed to be operating with malicious intent. A Threat Actor is not an Intrusion Set but may support or be affiliated with various Intrusion Sets, groups, or organizations over time. The applications involved are malicious Android applications used in a Campaign orchestrated by the Syrian Electronic Army (SEA). These apps, which include names like “Covid19” and “Telegram Covid_19”, impersonate legitimate applications to lure users into downloading them. Their role is to serve as part of a surveillance operation, deploying RemoteAccessTrojan-RAT malware to gather and exfiltrate sensitive information from the target devices."
4,"Threat Actors are actual individuals, groups, or organizations believed to be operating with malicious intent. They use social engineering skills, such as the exploitation of Skype messages by sending malicious links or attachments that appear legitimate but they are usually sent from fake or compromised accounts. These links to download programs, like 'SSH VPN' or 'Ammazon Internet Security', can lead to the installation of malware on the victim's device, which can then be used to steal sensitive information or take control of the device."
5,"Kaspersky Lab detected the following types of RATs in MENA in 2013-2014: Zapchast, Bitfrose, Fynloski, and XtremeRAT."
6,"A campaign is a grouping of adversarial behaviors that describes a set of malicious activities or attacks that occur over a period of time against a specific set of targets. The country with some of the most notorious actors in cyber attack campaigns is Russia. Strategic Russian interests are guided by the desires for Russia to be recognized as a great power, to protect the Russian identity, and to limit global United States power. These themes are evident in components commonly associated with Russian-backed cyber threat campaigns: the weaponization of information through disinformation campaigns and propaganda; attempted interference in democratic processes; strategic positioning within critical infrastructure, perhaps as preparation for potential escalation of hostilities with rival nations."
7,"SunBird attempts to upload all data it has access to at regular intervals to its command and control (C2) servers. Locally on the infected device, the data is collected in SQLite databases which are then compressed into ZIP files as they are uploaded to C2 infrastructure. SunBird can exfiltrate the following list of data: \n-List of installed applications \n-Browser history \n-Calendar information \n-BlackBerry Messenger (BBM) audio files, documents and images \n-WhatsApp Audio files, documents, databases, voice notes and images \n-Content sent and received via IMO instant messaging application \nSunBird can also perform the following actions: \n-Download attacker specified content from FTP shares \n-Run arbitrary commands as root, if possible \n-Scrape BBM messages and contacts via accessibility services \n-Scrape BBM notifications via accessibility services"
8,"Defenders face several challenges due to the complexity of the vendor landscape: \n- Managing multiple vendors and products adds significant complexity.\n- The difficulty of integrating these products into a cohesive security strategy: they don’t provide an actionable view of the threats.\n- Vulnerabilities due to the lack of coordination between different security tools.\n- It is difficult for defenders to stay up-to-date on the latest security trends and best practices, leading to a potential loss of efficiency and effectiveness."
9,"Permanent denial of service (PDoS) attacks are rapid bot attacks that render device hardware non-functional, often requiring hardware reinstallation or replacement. These attacks, also known as ""phlashing,"" exploit security flaws to destroy firmware and system functions. The BrickerBot malware uses Telnet brute force to breach devices, corrupts storage with Linux commands, disrupts internet connectivity, and wipes all files on the device."


In [None]:
onto_answer_evaluations.answer

Unnamed: 0,answer
0,Antivirus software uses signature detection to identify malware. Signature detection looks for a unique sequence of bytes that is specific to a piece of malicious code. This allows the software to detect and remove the malware from the system.
1,
2,"Remote Access Trojans (RATs) are a type of malware that allows attackers to remotely access and control a victim's computer. These trojans are typically delivered through phishing emails or drive-by downloads, where the user is tricked into downloading and running the malicious software. Once installed, the RAT provides the attacker with complete control over the victim's machine, allowing them to steal sensitive information, install additional malware, and even take control of the camera and microphone. One way that pro-government groups use Trojanized apps on Facebook to infect users is by creating fake profiles and posting links to malicious apps on their walls. When users click on the link, they are redirected to a malicious website where they are prompted to download and install the app. The app appears to be legitimate, but in reality, it contains a hidden RAT that gives the attacker full control over the victim's device. Another technique used by pro-government groups is to create fake news articles or videos that contain malicious links. These links may appear to lead to legitimate news sources or videos, but instead, they redirect the user to a malicious website where they are prompted to download and install the malicious app. In addition to using Trojanized apps, pro-government groups also use phishing emails to infect users. These emails may appear to come from trusted sources such as banks or government agencies, and they may contain links to malicious websites or attachments that contain malware. Overall, pro-government groups use a variety of techniques to infect users with RATs, including Trojanized apps, phishing emails, and fake news articles or videos. By understanding these techniques, users can take steps to protect themselves, such as being cautious when clicking on links or downloading apps, and keeping their antivirus software up to date."
3,"\n\nThreat actors are individuals or groups who engage in illegal or malicious activities online. In the context of cybersecurity, threat actors can refer to hackers, cybercriminals, or state-sponsored actors who attempt to breach computer systems or networks for various reasons, such as financial gain, political motives, or espionage.\n\nIn the case of the Syrian Electronic Army (SEA), they are a group of hackers who support the Syrian government and carry out cyber attacks against opponents of the regime. Their activities include website defacements, data theft, and distributed denial-of-service (DDoS) attacks.\n\nIn terms of the applications involved, the SEA uses various tools and techniques to carry out their attacks. Some examples include SQL injection, cross-site scripting (XSS), phishing, and social engineering. They also leverage vulnerabilities in web applications and operating systems to gain access to systems and steal sensitive information.\n\nThe role of the SEA in a campaign connected to the ThreatActor Syrian Electronic Army (SEA) is to disrupt and damage the reputation of their targets. By carrying out cyber attacks, they aim to undermine the credibility and influence of their opponents, often through defacing websites or stealing confidential information.\n\nIt's important to note that the SEA is just one example of a threat actor. There are numerous other groups and individuals who engage in cyber attacks for various purposes. It's crucial to stay informed about the latest threats and implement appropriate security measures to protect against them."
4,"Threat actors are individuals, groups, or organizations who engage in cyberattacks with malicious intent. They use various methods to exploit vulnerabilities in systems, including social engineering, phishing attacks, and malware distribution. One way threat actors exploit Skype messages is by sending malicious links or attachments that appear legitimate but contain malware. These links or attachments can lead to the installation of malware on the victim's device, which can then be used to steal sensitive information or take control of the device."
5,"The most popular RATs detected by Kaspersky Lab in MENA in 2013-2014 include Zapchast, Bitfrose, Fynloski, Xtreme RAT, and NjRat. These RATs have been used by various cybercriminals, including hacktivists, script-kiddies, and scammers. Some of these RATs, such as NjRAT, have a list of commands that can be sent from the controller to the infected system."
6,"A campaign is a series of coordinated actions or events intended to achieve a specific goal. In the context of cyber attacks, a campaign refers to a series of cyber attacks carried out by a group or individual with the aim of achieving a particular objective. The country with some of the most notorious actors in cyber attack campaigns is Russia. This is because Russia has been involved in several high-profile cyber attacks over the years, including the 2016 US presidential election hack, the NotPetya ransomware attack, and the SolarWinds supply chain attack. Russia is known for its sophisticated cyber capabilities and has been accused of using these capabilities to further its political and strategic objectives."
7,"SunBird is a malicious Android spyware that was discovered by the Lookout Threat Intelligence team. It is designed to collect sensitive information from infected devices, including contact lists, call logs, text messages, and location data. The spyware also has the ability to record phone calls and take pictures or videos without the user's knowledge. One of the key features of SunBird is its ability to exfiltrate data from popular messaging apps such as WhatsApp, Telegram, and Signal. This allows the attackers behind the spyware to gain access to private conversations and other sensitive information shared through these platforms. Additionally, SunBird can also steal login credentials for various online accounts, allowing the attackers to gain access to even more personal information. Overall, SunBird is a highly sophisticated piece of malware that poses a significant threat to users who may be targeted by its creators. It is important for users to be aware of this threat and take steps to protect themselves, such as installing antivirus software and avoiding downloading apps from untrusted sources."
8,"The challenges that a defender deals with due to the complexity of vendors landscape include the need to manage multiple vendors and products, the difficulty of integrating these products into a cohesive security strategy, and the potential for gaps in coverage or vulnerabilities due to the lack of coordination between different security tools. Additionally, the sheer number of vendors and products can make it difficult for defenders to stay up-to-date on the latest security trends and best practices, leading to a potential loss of efficiency and effectiveness."
9,"The Permanent Denial of Service attack (PDoS) is a type of cyber attack that aims to render a computer or network unavailable for an extended period of time. Unlike traditional denial of service attacks, which are typically short-lived and intended to cause temporary disruption, PDoS attacks are designed to permanently disable the target system. One common method of carrying out a PDoS attack is through the use of malicious software known as ""brickers."" These programs are specifically designed to corrupt or delete critical system files, rendering the target system unusable. In some cases, brickers may also attempt to overwrite the boot sector of the hard drive, making it impossible for the system to start up at all. Another technique used in PDoS attacks is the exploitation of vulnerabilities in the target system's firmware. This can allow attackers to gain remote access to the system and make changes to its configuration, potentially causing it to become unresponsive or even crash entirely. Once a PDoS attack has been successful, the affected system may require extensive repairs or replacement in order to restore functionality. As such, these attacks can have significant financial and operational impacts on organizations that rely on their IT infrastructure for day-to-day operations. To protect against PDoS attacks, organizations should implement robust security measures such as firewalls, intrusion detection systems, and regular patch management practices. Additionally, it is important to maintain strong password policies and ensure that all user accounts have appropriate levels of access control."
