Skip to content

T1001.001 Junk Data

Adversaries may add junk data to protocols used for command and control to make detection more difficult. By adding random or meaningless data to the protocols used for command and control, adversaries can prevent trivial methods for decoding, deciphering, or otherwise analyzing the traffic. Examples may include appending/prepending data with junk characters or writing junk characters between significant characters.

Item Value
ID T1001.001
Sub-techniques T1001.001, T1001.002, T1001.003
Tactics TA0011
Platforms Linux, Windows, macOS
Version 1.0
Created 15 March 2020
Last Modified 15 March 2020

Procedure Examples

ID Name Description
G0007 APT28 APT28 added “junk data” to each encoded string, preventing trivial decoding without knowledge of the junk removal algorithm. Each implant was given a “junk length” value when created, tracked by the controller software to allow seamless communication but prevent analysis of the command protocol on the wire.14
S0574 BendyBear BendyBear has used byte randomization to obscure its behavior.2
S0134 Downdelph Downdelph inserts pseudo-random characters between each original character during encoding of C2 network requests, making it difficult to write signatures on them.4
S0588 GoldMax GoldMax has used decoy traffic to surround its malicious network traffic to avoid detection.6
S0632 GrimAgent GrimAgent can pad C2 messages with random generated values.5
S0016 P2P ZeuS P2P ZeuS added junk data to outgoing UDP packets to peer implants.13
S0626 P8RAT P8RAT can send randomly-generated data as part of its C2 communication.12
S0435 PLEAD PLEAD samples were found to be highly obfuscated with junk code.78
S0559 SUNBURST SUNBURST added junk bytes to its C2 over HTTP.11
S0682 TrailBlazer TrailBlazer has used random identifier strings to obscure its C2 operations and result codes.3
S0647 Turian Turian can insert pseudo-random characters into its network encryption setup.9
S0514 WellMess WellMess can use junk data in the Base64 string for additional obfuscation.10

Mitigations

ID Mitigation Description
M1031 Network Intrusion Prevention Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate some obfuscation activity at the network level.

Detection

ID Data Source Data Component
DS0029 Network Traffic Network Traffic Content

References

  1. Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016. 

  2. Harbison, M. (2021, February 9). BendyBear: Novel Chinese Shellcode Linked With Cyber Espionage Group BlackTech. Retrieved February 16, 2021. 

  3. CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022. 

  4. ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016. 

  5. Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved July 16, 2021. 

  6. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021. 

  7. Cherepanov, A.. (2018, July 9). Certificates stolen from Taiwanese tech‑companies misused in Plead malware campaign. Retrieved May 6, 2020. 

  8. Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech’s Cyber Espionage Campaigns. Retrieved May 5, 2020. 

  9. Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021 

  10. CISA. (2020, July 16). MAR-10296782-2.v1 – WELLMESS. Retrieved September 24, 2020. 

  11. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021. 

  12. GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021. 

  13. SecureWorks. (2013). The Lifecycle of Peer-to-Peer (Gameover) ZeuS. Retrieved August 19, 2015. 

  14. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015. 

Back to top