T1027.004 Compile After Delivery
Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.
Source code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a Phishing. Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.
||T1027.001, T1027.002, T1027.003, T1027.004, T1027.005, T1027.006, T1027.007, T1027.008, T1027.009, T1027.010, T1027.011
||Linux, Windows, macOS
||16 March 2020
||29 March 2020
||Cardinal RAT and its watchdog component are compiled and executed after being delivered to victims as embedded, uncompiled source code.
||DarkWatchman has used the
csc.exe tool to compile a C# executable.
||FoggyWeb can compile and execute source code sent to the compromised AD FS server via a specific HTTP POST.
||Gamaredon Group has compiled the source code for a downloader directly on the infected system using the built-in
||MuddyWater has used the .NET csc.exe tool to compile executables from downloaded C# code.
||njRAT has used AutoIt to compile the payload and main script into a single executable after delivery.
||Rocke has compiled malware, delivered to victims as .c files, with the GNU Compiler Collection (GCC).