T1001.001 Junk Data
Adversaries may add junk data to protocols used for command and control to make detection more difficult. By adding random or meaningless data to the protocols used for command and control, adversaries can prevent trivial methods for decoding, deciphering, or otherwise analyzing the traffic. Examples may include appending/prepending data with junk characters or writing junk characters between significant characters.
|APT28 added “junk data” to each encoded string, preventing trivial decoding without knowledge of the junk removal algorithm. Each implant was given a “junk length” value when created, tracked by the controller software to allow seamless communication but prevent analysis of the command protocol on the wire.
|BendyBear has used byte randomization to obscure its behavior.
|Downdelph inserts pseudo-random characters between each original character during encoding of C2 network requests, making it difficult to write signatures on them.
|GoldMax has used decoy traffic to surround its malicious network traffic to avoid detection.
|GrimAgent can pad C2 messages with random generated values.
|Kevin can generate a sequence of dummy HTTP C2 requests to obscure traffic.
|Mori has obfuscated the FML.dll with 200MB of junk data.
|P2P ZeuS added junk data to outgoing UDP packets to peer implants.
|P8RAT can send randomly-generated data as part of its C2 communication.
|PLEAD samples were found to be highly obfuscated with junk code.
|SUNBURST added junk bytes to its C2 over HTTP.
|TrailBlazer has used random identifier strings to obscure its C2 operations and result codes.
|Turian can insert pseudo-random characters into its network encryption setup.
|WellMess can use junk data in the Base64 string for additional obfuscation.
|Network Intrusion Prevention
|Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate some obfuscation activity at the network level.