{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,2]],"date-time":"2026-02-02T03:56:47Z","timestamp":1770004607530,"version":"3.49.0"},"reference-count":56,"publisher":"Springer Science and Business Media LLC","issue":"2","license":[{"start":{"date-parts":[[2021,6,26]],"date-time":"2021-06-26T00:00:00Z","timestamp":1624665600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springer.com\/tdm"},{"start":{"date-parts":[[2021,6,26]],"date-time":"2021-06-26T00:00:00Z","timestamp":1624665600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Int. J. Inf. Secur."],"published-print":{"date-parts":[[2022,4]]},"DOI":"10.1007\/s10207-021-00559-2","type":"journal-article","created":{"date-parts":[[2021,6,26]],"date-time":"2021-06-26T16:02:41Z","timestamp":1624723361000},"page":"357-378","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":6,"title":["A novel malicious remote administration tool using stealth and self-defense techniques"],"prefix":"10.1007","volume":"21","author":[{"given":"Ioannis","family":"Kazoleas","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1684-7612","authenticated-orcid":false,"given":"Panagiotis","family":"Karampelas","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2021,6,26]]},"reference":[{"key":"559_CR1","unstructured":"Kelley, M.B.: The Stuxnet attack on Iran's nuclear plant was' far more dangerous' than previously thought. Business Insider, p. 20 (2013)."},{"key":"559_CR2","unstructured":"Naraine, R., Protalinski, E., & Danchev, D.:. Stuxnet attackers used 4 windows zero-day exploits. ZDnet Blog (2010)."},{"key":"559_CR3","unstructured":"Matrosov, A., Rodionov, E., Harley, D., Malcho, J.: Stuxnet under the microscope. ESET LLC (2010)."},{"key":"559_CR4","unstructured":"Seals, T.: APT15 Pokes Its Head Out With Upgraded MirageFox RAT. https:\/\/www.threatpost.com\/apt15-pokes-its-head-out-with-upgraded-miragefox-rat\/132943\/ (2018)"},{"key":"559_CR5","unstructured":"Cutler, S.: The Mirage Campaign. https:\/\/www.secureworks.com\/research\/the-mirage-campaign (2012)"},{"key":"559_CR6","unstructured":"Rosenberg, J.: MirageFox: APT15 Resurfaces With New Tools Based On Old Ones. https:\/\/intezer.com\/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones\/ (2018)"},{"key":"559_CR7","unstructured":"AV-Test.: New Malware. https:\/\/www.av-test.org\/en\/statistics\/malware\/ (2020)"},{"key":"559_CR8","doi-asserted-by":"publisher","first-page":"6249","DOI":"10.1109\/ACCESS.2019.2963724","volume":"8","author":"\u00d6A Aslan","year":"2020","unstructured":"Aslan, \u00d6.A., Samet, R.: A comprehensive review on malware detection approaches. IEEE Access 8, 6249\u20136271 (2020)","journal-title":"IEEE Access"},{"key":"559_CR9","doi-asserted-by":"publisher","DOI":"10.1007\/978-1-4842-6193-4","volume-title":"Malware Analysis and Detection Engineering","author":"A Mohanta","year":"2020","unstructured":"Mohanta, A., Saldanha, A.: Malware Analysis and Detection Engineering. Apress, Berkeley, CA (2020)"},{"key":"559_CR10","doi-asserted-by":"crossref","unstructured":"Smith, M.R., Johnson, N.T., Ingram, J.B., Carbajal, A.J., Haus, B.I., Domschot, E., Kegelmeyer, W.P.: Mind the Gap: On Bridging the Semantic Gap between Machine Learning and Malware Analysis. In: Proceedings of the 13th ACM Workshop on Artificial Intelligence and Security, pp. 49\u201360 (2020).","DOI":"10.1145\/3411508.3421373"},{"key":"559_CR11","doi-asserted-by":"publisher","first-page":"838","DOI":"10.1109\/TIFS.2020.3021924","volume":"16","author":"M Fan","year":"2020","unstructured":"Fan, M., Wei, W., Xie, X., Liu, Y., Guan, X., Liu, T.: Can We Trust Your Explanations? Sanity Checks for Interpreters in Android Malware Analysis. IEEE Trans. Inf. Forensics Secur. 16, 838\u2013853 (2020)","journal-title":"IEEE Trans. Inf. Forensics Secur."},{"key":"559_CR12","unstructured":"Ogheneovo E., Oputeh. K.: Source Code Obfuscation: A Technique for Checkmating. http:\/\/www.ijesi.org\/papers\/Vol(3)5\/Version-4\/A035401010.pdf (2014)"},{"key":"559_CR13","unstructured":"Collberg, C., Thomborson, C., & Low, D., (1997). A Taxonomy of Obfuscating Transformations."},{"key":"559_CR14","unstructured":"Mawgoud, A.A., Rady, H.M., Tawfik, B.S.: A Malware Obfuscation AI Technique to Evade Antivirus Detection in Counter Forensic Domain. In: Enabling AI Applications in Data Science, pp. 597\u2013615. Springer, Cham."},{"key":"559_CR15","unstructured":"Lewis, T.:. Malware Obfuscation, Encoding And Encryption. Infosec Institute. https:\/\/resources.infosecinstitute.com\/category\/certifications-training\/malware-analysis-reverse-engineering\/malware-obfuscation-encoding-encryption\/#gref (2020)"},{"key":"559_CR16","unstructured":"Cesare, S., Xiang, Y.: Classification of malware using structured control flow. In: Proceedings of the Eighth Australasian Symposium on Parallel and Distributed Computing, Vol. 107, pp. 61\u201370 (2010)."},{"issue":"4","key":"559_CR17","doi-asserted-by":"publisher","first-page":"141","DOI":"10.1007\/s11416-012-0165-0","volume":"8","author":"A Issa","year":"2012","unstructured":"Issa, A.: Anti-virtual machines and emulations. J. Comput. Virol. 8(4), 141\u2013149 (2012)","journal-title":"J. Comput. Virol."},{"key":"559_CR18","unstructured":"Wuest, C.: Advanced communication techniques of remote access trojan horses on Windows operating system GSEC Practical v1. 4b (option 1) (2004)."},{"key":"559_CR19","unstructured":"Pingios, A., Christiaan, B., Becwar, R.: Process Injection. Retrieved from https:\/\/attack.mitre.org\/techniques\/T1055\/ (2019)"},{"key":"559_CR20","unstructured":"Ries, C.: Defeating Windows personal firewalls: Filtering methodologies, attacks, and defenses. VigilantMinds Inc (2005)."},{"key":"559_CR21","unstructured":"Husse, C., Stenning, J.: EasyHook - The reinvention of Windows API Hooking. Retrieved from https:\/\/github.com\/EasyHook\/EasyHook (2019)"},{"key":"559_CR22","doi-asserted-by":"crossref","unstructured":"Yunus, Y.K.B.M., Ngah, S.B.: Review of hybrid analysis technique for malware detection. In: IOP Conference Series: Materials Science and Engineering, Vol. 769, No. 1, p. 012075. IOP Publishing (2020).","DOI":"10.1088\/1757-899X\/769\/1\/012075"},{"key":"559_CR23","unstructured":"Kaspersky.: What is Metamorphic Virus? https:\/\/www.kaspersky.com\/resource-center\/definitions\/metamorphic-virus (2020)"},{"key":"559_CR24","unstructured":"Trend Micro Inc.: TrendMicro\u2014Polymorphic virus. https:\/\/www.trendmicro.com\/vinfo\/us\/security\/definition\/Polymorphic-virus (2020)"},{"key":"559_CR25","first-page":"15","volume":"15","author":"E Konstantinou","year":"2008","unstructured":"Konstantinou, E., Wolthusen, S.: Metamorphic virus: Analysis and detection. R. Holloway Univ. Lond. 15, 15 (2008)","journal-title":"R. Holloway Univ. Lond."},{"issue":"5","key":"559_CR26","first-page":"1780","volume":"2","author":"U Haritha","year":"2013","unstructured":"Haritha, U., Naidu, V.L.: A Survey on Windows Component Loading Vulnerabilities. Int. J. Adv. Res. Comput. Eng. Technol. (IJARCET) 2(5), 1780\u20131783 (2013)","journal-title":"Int. J. Adv. Res. Comput. Eng. Technol. (IJARCET)"},{"key":"559_CR27","unstructured":"Microsoft.: Process Interoperability. https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/winprog64\/process-interoperability (2018)"},{"key":"559_CR28","unstructured":"Provecho, E.F.: Testing User Account Control (UAC) on Windows 10. Retrieved from https:\/\/www.researchgate.net\/profile\/Ernesto_Fernandez5\/publication\/319454675_Testing_UAC_on_Windows_10\/links\/59abcc50a6fdcce55a382ede\/Testing-UAC-on-Windows-10.pdf (2017)"},{"key":"559_CR29","unstructured":"Nelson, M., Graeber, M.: Bypassing UAC on Windows 10 using Disk Cleanup (2018)."},{"key":"559_CR30","unstructured":"MITRE.: Privilege Escalation. https:\/\/attack.mitre.org\/tactics\/TA0004\/ (2019)"},{"key":"559_CR31","unstructured":"Nelson, M.: Exploiting Environment Variables in Scheduled Tasks for UAC Bypass. https:\/\/www.tiraniddo.dev\/2017\/05\/exploiting-environment-variables-in.html (2017)"},{"key":"559_CR32","unstructured":"Ruben, B.: UAC 0day All Day. https:\/\/labs.f-secure.com\/assets\/resourceFiles\/DefCon25-UAC-0day-All-Day-v2.2.pdf (2017)"},{"key":"559_CR33","unstructured":"Exploit-DB by Offensive Security.: Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation (\/etc\/passwd Method). Retrieved from https:\/\/www.exploit-db.com\/exploits\/40839 (2016)"},{"key":"559_CR34","unstructured":"Hagen, W.: Ubuntu Linux Bible: Featuring Ubuntu 10.04 LTS. Indianapolis: Wiley Publishing, Inc. (2010)"},{"key":"559_CR35","unstructured":"Treaster, M., Koenig, G.A., Meng, X., Yurcik, W.: Detection of privilege escalation for linux cluster security. In: 6th LCI International Conference on Linux Clusters (2005)."},{"key":"559_CR36","unstructured":"MITRE.: Setuid and Setgid. https:\/\/attack.mitre.org\/techniques\/T1166\/ (2017)"},{"key":"559_CR37","unstructured":"Ubuntu.: Ubuntu Help - Sudoers. https:\/\/help.ubuntu.com\/community\/Sudoers (2014)"},{"key":"559_CR38","unstructured":"Kerrisk, M.: man7. (find - search for files in a directory hierarchy). http:\/\/man7.org\/linux\/man-pages\/man1\/find.1.html (2020)"},{"key":"559_CR39","unstructured":"Dion-Marcil, L.: sudo-backdoor. https:\/\/github.com\/ldionmarcil\/sudo-backdoor (2017)"},{"key":"559_CR40","volume-title":"Cyber Crime, Security and Digital Intelligence","author":"M Johnson","year":"2013","unstructured":"Johnson, M.: Cyber Crime, Security and Digital Intelligence. Routledge Pulisher (2013)"},{"key":"559_CR41","doi-asserted-by":"crossref","unstructured":"Huang, C., Han, X., Yu, G.: LPET--mining MS-windows software privilege escalation vulnerabilities by monitoring interactive behavior. In: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, pp. 2089\u20132091 (2020).","DOI":"10.1145\/3372297.3420014"},{"key":"559_CR42","doi-asserted-by":"publisher","first-page":"106089","DOI":"10.1016\/j.asoc.2020.106089","volume":"89","author":"S Sharmeen","year":"2020","unstructured":"Sharmeen, S., Huda, S., Abawajy, J., Hassan, M.M.: An adaptive framework against android privilege escalation threats using deep learning and semi-supervised approaches. Appl. Soft Comput. 89, 106089 (2020)","journal-title":"Appl. Soft Comput."},{"key":"559_CR43","unstructured":"Bayer, U., Habibi, I., Balzarotti, D., Kirda, E., Kruegel, C.: A view on current malware behaviors. In: LEET (2009)."},{"key":"559_CR44","unstructured":"Rapid7.: Windows registry only persistence. https:\/\/vulners.com\/metasploit\/MSF:EXPLOIT\/WINDOWS\/LOCAL\/REGISTRY_PERSISTENCE (2015)"},{"key":"559_CR45","doi-asserted-by":"publisher","first-page":"88","DOI":"10.1016\/j.procs.2020.08.010","volume":"176","author":"Z Gittins","year":"2020","unstructured":"Gittins, Z., Soltys, M.: Malware Persistence Mechanisms. Procedia Comput. Sci. 176, 88\u201397 (2020)","journal-title":"Procedia Comput. Sci."},{"key":"559_CR46","doi-asserted-by":"crossref","unstructured":"Showalter, W.: A Universal Windows Bootkit: An Analysis of the MBR Bootkit\" HDRoot\". In: Proceedings of the 50th Hawaii International Conference on System Sciences (2017).","DOI":"10.24251\/HICSS.2017.732"},{"key":"559_CR47","unstructured":"Brossard, J., Demetrescu, F.: Hardware backdooring is practical. BlackHat, Las Vegas, USA (2012)."},{"key":"559_CR48","unstructured":"Symantec.: Are MBR Infections Back in Fashion? https:\/\/www.symantec.com\/connect\/blogs\/are-mbr-infections-back-fashion (2011)"},{"key":"559_CR49","doi-asserted-by":"crossref","unstructured":"Brierley, C., Pont, J., Arief, B., Barnes, D.J., Hernandez-Castro, J.C.: Persistence in Linux-Based IoT Malware (2020).","DOI":"10.1007\/978-3-030-70852-8_1"},{"issue":"3","key":"559_CR50","first-page":"482","volume":"3333","author":"MN Kondalwar","year":"2014","unstructured":"Kondalwar, M.N., Shelke, C.J.: Remote administrative trojan\/tool (RAT). Int. J. Comput. Sci. Mob. Comput 3333(3), 482\u2013487 (2014)","journal-title":"Int. J. Comput. Sci. Mob. Comput"},{"key":"559_CR51","doi-asserted-by":"crossref","unstructured":"Hokaguchi, T., Ohsita, Y., Shibahara, T., Chiba, D., Akiyama, M., & Murata, M. (2020, January). Detecting Malware-infected Hosts Using Templates of Multiple HTTP Requests. In 2020 IEEE 17th Annual Consumer Communications & Networking Conference (CCNC) (pp. 1\u20132). IEEE.","DOI":"10.1109\/CCNC46108.2020.9045542"},{"key":"559_CR52","doi-asserted-by":"crossref","unstructured":"Shibahara, T., Yagi, T., Akiyama, M., Chiba, D., Yada, T.: Efficient dynamic malware analysis based on network behavior using deep learning. In: 2016 IEEE Global Communications Conference (GLOBECOM), pp 1\u20137. IEEE (2016).","DOI":"10.1109\/GLOCOM.2016.7841778"},{"key":"559_CR53","unstructured":"VMware.: Mechanisms to determine if software is running in a VMware virtual machine. https:\/\/kb.vmware.com\/s\/article\/1009458 (2015)"},{"key":"559_CR54","unstructured":"AV-Comparatives.: Real-World Protection Test July-October 2020. https:\/\/www.av-comparatives.org\/tests\/real-world-protection-test-july-october-2020\/ (2020)"},{"key":"559_CR55","unstructured":"Cannell, J.: Obfuscation: Malware\u2019s best friend. https:\/\/blog.malwarebytes.com\/threat-analysis\/2013\/03\/obfuscation-malwares-best-friend\/ (2013)"},{"key":"559_CR56","unstructured":"Microsoft.: Dynamic-Link Library Search Order. https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/dlls\/dynamic-link-library-search-order (2018)"}],"container-title":["International Journal of Information Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-021-00559-2.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s10207-021-00559-2\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-021-00559-2.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,3,21]],"date-time":"2022-03-21T08:08:29Z","timestamp":1647850109000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s10207-021-00559-2"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,6,26]]},"references-count":56,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2022,4]]}},"alternative-id":["559"],"URL":"https:\/\/doi.org\/10.1007\/s10207-021-00559-2","relation":{},"ISSN":["1615-5262","1615-5270"],"issn-type":[{"value":"1615-5262","type":"print"},{"value":"1615-5270","type":"electronic"}],"subject":[],"published":{"date-parts":[[2021,6,26]]},"assertion":[{"value":"17 June 2021","order":1,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"26 June 2021","order":2,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors declare that they have no conflict of interest.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Conflict of interest"}},{"value":"This article does not contain any studies with human participants or animals performed by any of the authors.","order":3,"name":"Ethics","group":{"name":"EthicsHeading","label":"Ethical approval"}}]}}