| ID | E1204 |
| Objective(s) | Execution |
| Related ATT&CK Techniques | User Execution (T1204) |
| Version | 2.0 |
| Created | 28 August 2019 |
| Last Modified | 17 August 2023 |
Malware may include code that relies on specific actions by a user to execute. Note that this MBC behavior differs from User Execution in that it does do not include direct code execution (user action for initial execution) - MBC does not encompass ATT&CK's Initial Access Tactic.
This behavior is related to Unprotect technique U1339.
See ATT&CK Technique: User Execution (T1204).
| Name | Date | Method | Description |
|---|---|---|---|
| GoBotKR | 2019 | -- | GoBotKR makes their malware look like the torrent content that the user intended to download, in order to entice a user to click on it. [1] |
| Rombertik | 2015 | -- | The malware relies on a victim to execute itself. [2] |
| Terminator | 2013 | -- | The malware relies on user interaction to execute. [3] |
| Vobfus | 2016 | -- | The malware relies on user interaction to run the executable. [4] |
| CryptoLocker | 2013 | -- | The malware relies on victims to execute. [4] |
| SearchAwesome | 2018 | -- | The user opens a disk image file which invisibly installs its components. [6] |
[1] https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/
[2] https://blogs.cisco.com/security/talos/rombertik
[3] https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/FireEye-Terminator_RAT.pdf
[4] https://securitynews.sonicwall.com/xmlpost/revisiting-vobfus-worm-mar-8-2013/
[5] https://www.secureworks.com/research/cryptolocker-ransomware
[6] https://www.malwarebytes.com/blog/news/2018/10/mac-malware-intercepts-encrypted-web-traffic-for-ad-injection