T1027.004 Compile After Delivery
Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.1
Source code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a Phishing. Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.2
| Item | Value |
|---|---|
| ID | T1027.004 |
| Sub-techniques | T1027.001, T1027.002, T1027.003, T1027.004, T1027.005, T1027.006 |
| Tactics | TA0005 |
| Platforms | Linux, Windows, macOS |
| Permissions required | User |
| Version | 1.0 |
| Created | 16 March 2020 |
| Last Modified | 29 March 2020 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0348 | Cardinal RAT | Cardinal RAT and its watchdog component are compiled and executed after being delivered to victims as embedded, uncompiled source code.4 |
| S0673 | DarkWatchman | DarkWatchman has used the csc.exe tool to compile a C# executable.5 |
| S0661 | FoggyWeb | FoggyWeb can compile and execute source code sent to the compromised AD FS server via a specific HTTP POST.3 |
| G0047 | Gamaredon Group | Gamaredon Group has compiled the source code for a downloader directly on the infected system using the built-in Microsoft.CSharp.CSharpCodeProvider class.8 |
| G0069 | MuddyWater | MuddyWater has used the .NET csc.exe tool to compile executables from downloaded C# code.1 |
| S0385 | njRAT | njRAT has used AutoIt to compile the payload and main script into a single executable after delivery.6 |
| G0106 | Rocke | Rocke has compiled malware, delivered to victims as .c files, with the GNU Compiler Collection (GCC).7 |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0017 | Command | Command Execution |
| DS0022 | File | File Creation |
| DS0009 | Process | Process Creation |
References
-
ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018. ↩↩
-
Trend Micro. (2019, February 11). Windows App Runs on Mac, Downloads Info Stealer and Adware. Retrieved April 25, 2019. ↩
-
Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021. ↩
-
Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018. ↩
-
Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022. ↩
-
Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019. ↩
-
Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019. ↩
-
Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020. ↩