Skip to content

T1027.005 Indicator Removal from Tools

Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version that is no longer detected by the target’s defensive systems or subsequent targets that may use similar systems.

A good example of this is when malware is detected with a file signature and quarantined by anti-virus software. An adversary who can determine that the malware was quarantined because of its file signature may modify the file to explicitly avoid that signature, and then re-use the malware.

Item Value
ID T1027.005
Sub-techniques T1027.001, T1027.002, T1027.003, T1027.004, T1027.005, T1027.006, T1027.007, T1027.008, T1027.009, T1027.010, T1027.011
Tactics TA0005
Platforms Linux, Windows, macOS
Version 1.1
Created 19 March 2020
Last Modified 28 April 2022

Procedure Examples

ID Name Description
G0022 APT3 APT3 has been known to remove indicators of compromise from tools.20
S0154 Cobalt Strike Cobalt Strike includes a capability to modify the Beacon payload to eliminate known signatures or unpacking methods.56
S0187 Daserf Analysis of Daserf has shown that it regularly undergoes technical improvements to evade anti-virus detection.11
G0009 Deep Panda Deep Panda has updated and modified its malware, resulting in different hash values that evade detection.17
G0093 GALLIUM GALLIUM ensured each payload had a unique hash, including by using different types of packers.16
S0237 GravityRAT The author of GravityRAT submitted samples to VirusTotal for testing, showing that the author modified the code to try to hide the DDE object in a different part of the document.9
S0260 InvisiMole InvisiMole has undergone regular technical improvements in an attempt to evade detection.7
G0049 OilRig OilRig has tested malware samples to determine AV detection and subsequently modified the samples to ensure AV evasion.1415
C0014 Operation Wocao During Operation Wocao, threat actors edited variable names within the Impacket suite to avoid automated detection.21
G0040 Patchwork Patchwork apparently altered NDiskMonitor samples by adding four bytes of random letters in a likely attempt to change the file hashes.19
S0587 Penquin Penquin can remove strings from binaries.10
S0194 PowerSploit PowerSploit‘s Find-AVSignature AntivirusBypass module can be used to locate single byte anti-virus signatures.12
S0650 QakBot QakBot can make small changes to itself in order to change its checksum and hash value.34
S0559 SUNBURST SUNBURST source code used generic variable names and pre-obfuscated strings, and was likely sanitized of developer comments before being added to SUNSPOT.8
G0088 TEMP.Veles TEMP.Veles has modified files based on the open-source project cryptcat in an apparent attempt to decrease AV detection rates.13
G0010 Turla Based on comparison of Gazer versions, Turla made an effort to obfuscate strings in the malware that could be used as IoCs, including the mutex name and named pipe.18
S0579 Waterbear Waterbear can scramble functions not to be executed again with random values.12

Detection

ID Data Source Data Component
DS0015 Application Log Application Log Content

References

  1. PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018. 

  2. PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018. 

  3. CS. (2020, October 7). Duck Hunting with Falcon Complete: A Fowl Banking Trojan Evolves, Part 2. Retrieved September 27, 2021. 

  4. Cyberint. (2021, May 25). Qakbot Banking Trojan. Retrieved September 27, 2021. 

  5. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017. 

  6. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021. 

  7. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020. 

  8. CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021. 

  9. Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018. 

  10. Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA “Penquin_x64”. Retrieved March 11, 2021. 

  11. Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017. 

  12. Su, V. et al. (2019, December 11). Waterbear Returns, Uses API Hooking to Evade Security. Retrieved February 22, 2021. 

  13. FireEye Intelligence . (2018, October 23). TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers. Retrieved April 16, 2019. 

  14. Falcone, R.. (2017, April 27). OilRig Actors Provide a Glimpse into Development and Testing Efforts. Retrieved May 3, 2017. 

  15. Falcone, R., Wilhoit, K.. (2018, November 16). Analyzing OilRig’s Ops Tempo from Testing to Weaponization to Delivery. Retrieved April 23, 2019. 

  16. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019. 

  17. DiMaggio, J.. (2015, August 6). The Black Vine cyberespionage group. Retrieved January 26, 2016. 

  18. ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017. 

  19. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018. 

  20. Korban, C, et al. (2017, September). APT3 Adversary Emulation Plan. Retrieved January 16, 2018. 

  21. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.