Skip to content

T1027.001 Binary Padding

Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done without affecting the functionality or behavior of a binary, but can increase the size of the binary beyond what some security tools are capable of handling due to file size limitations.

Binary padding effectively changes the checksum of the file and can also be used to avoid hash-based blocklists and static anti-virus signatures.1 The padding used is commonly generated by a function to create junk data and then appended to the end or applied to sections of malware.2 Increasing the file size may decrease the effectiveness of certain tools and detection capabilities that are not designed or configured to scan large files. This may also reduce the likelihood of being collected for analysis. Public file scanning services, such as VirusTotal, limits the maximum size of an uploaded file to be analyzed.3

Item Value
ID T1027.001
Sub-techniques T1027.001, T1027.002, T1027.003, T1027.004, T1027.005, T1027.006
Tactics TA0005
CAPEC ID CAPEC-572, CAPEC-655
Platforms Linux, Windows, macOS
Version 1.2
Created 05 February 2020
Last Modified 15 October 2021

Procedure Examples

ID Name Description
G0016 APT29 APT29 has used large file sizes to avoid detection.38
G0050 APT32 APT32 includes garbage code to mislead anti-malware software and researchers.137
S0268 Bisonal Bisonal has appended random binary data to the end of itself to generate a large binary.4
G0060 BRONZE BUTLER BRONZE BUTLER downloader code has included “0” characters at the end of the file to inflate the file size in a likely attempt to evade anti-virus detection.3334
S0244 Comnie Comnie appends a total of 64MB of garbage data to a file to deter any security products in place that may be scanning files on disk.23
S0137 CORESHELL CORESHELL contains unused machine instructions in a likely attempt to hinder analysis.15
S0614 CostaBricks CostaBricks has added the entire unobfuscated code of the legitimate open source application Blink to its code.28
S0082 Emissary A variant of Emissary appends junk data to the end of its DLL file to create a large file that may exceed the maximum size that anti-virus programs can scan.6
S0512 FatDuke FatDuke has been packed with junk code and strings.24
S0182 FinFisher FinFisher contains junk code in its functions in an effort to confuse disassembly programs.2526
G0047 Gamaredon Group Gamaredon Group has obfuscated .NET executables by inserting junk code.36
S0666 Gelsemium Gelsemium can use junk code to hide functions and evade detection.22
S0477 Goopy Goopy has had null characters padded in its malicious DLL payload.11
S0531 Grandoreiro Grandoreiro has added BMP images to the resources section of its Portable Executable (PE) file increasing each binary to at least 300MB in size.10
S0632 GrimAgent GrimAgent has the ability to add bytes to change the file hash.14
G0126 Higaisa Higaisa performed padding with null bytes before calculating its hash.29
S0528 Javali Javali can use large obfuscated libraries to hinder detection and analysis.19
S0236 Kwampirs Before writing to disk, Kwampirs inserts a randomly generated string into the middle of the decrypted payload in an attempt to evade hash-based detections.7
G0065 Leviathan Leviathan has inserted garbage characters into code, presumably to avoid anti-virus detection.31
S0449 Maze Maze has inserted large blocks of junk code, including some components to decrypt strings and other important information for later in the encryption process.5
G0002 Moafee Moafee has been known to employ binary padding.30
G0129 Mustang Panda Mustang Panda has used junk code within their DLL files to hinder analysis.35
G0040 Patchwork Patchwork apparently altered NDiskMonitor samples by adding four bytes of random letters in a likely attempt to change the file hashes.32
S0223 POWERSTATS POWERSTATS has used useless code blocks to counter analysis.12
S0650 QakBot QakBot can use large file sizes to evade detection.89
S0433 Rifdoor Rifdoor has added four additional bytes of data upon launching, then saved the changed version as C:\ProgramData\Initech\Initech.exe.27
S0370 SamSam SamSam has used garbage code to pad some of its malware components.18
S0586 TAINTEDSCRIBE TAINTEDSCRIBE can execute FileRecvWriteRand to append random bytes to the end of a file received from C2.16
S0612 WastedLocker WastedLocker contains junk code to increase its entropy and hide the actual code.17
S0117 XTunnel A version of XTunnel introduced in July 2015 inserted junk code into the binary in a likely attempt to obfuscate it and bypass security products.13
S0248 yty yty contains junk code in its binary, likely to confuse malware analysts.21
S0230 ZeroT ZeroT has obfuscated DLLs and functions using dummy API calls inserted between real instructions.20

Detection

ID Data Source Data Component
DS0022 File File Metadata

References


  1. Foltýn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018. 

  2. Ishimaru, S.. (2017, April 13). Old Malware Tricks To Bypass Detection in the Age of Big Data. Retrieved May 30, 2019. 

  3. VirusTotal. (n.d.). VirusTotal FAQ. Retrieved May 23, 2019. 

  4. Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022. 

  5. Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020. 

  6. Falcone, R. and Miller-Osborn, J. (2016, February 3). Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?. Retrieved February 15, 2016. 

  7. Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018. 

  8. Mendoza, E. et al. (2020, May 25). Qakbot Resurges, Spreads through VBS Files. Retrieved September 27, 2021. 

  9. Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021. 

  10. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020. 

  11. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018. 

  12. Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020. 

  13. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016. 

  14. Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved July 16, 2021. 

  15. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015. 

  16. USG. (2020, May 12). MAR-10288834-2.v1 – North Korean Trojan: TAINTEDSCRIBE. Retrieved March 5, 2021. 

  17. Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021. 

  18. Palotay, D. and Mackenzie, P. (2018, April). SamSam Ransomware Chooses Its Targets Carefully. Retrieved April 15, 2019. 

  19. GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020. 

  20. Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018. 

  21. Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018. 

  22. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021. 

  23. Grunzweig, J. (2018, January 31). Comnie Continues to Target Organizations in East Asia. Retrieved June 7, 2018. 

  24. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020. 

  25. FinFisher. (n.d.). Retrieved December 20, 2017. 

  26. Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018. 

  27. Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020. 

  28. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021. 

  29. Singh, S. Singh, A. (2020, June 11). The Return on the Higaisa APT. Retrieved March 2, 2021. 

  30. Haq, T., Moran, N., Scott, M., & Vashisht, S. O. (2014, September 10). The Path to Mass-Producing Cyber Attacks [Blog]. Retrieved November 12, 2014. 

  31. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018. 

  32. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018. 

  33. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018. 

  34. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020. 

  35. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021. 

  36. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020. 

  37. Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019. 

  38. Guerrero-Saade, J. (2021, June 1). NobleBaron | New Poisoned Installers Could Be Used In Supply Chain Attacks. Retrieved August 4, 2021. 

Back to top