Skip to content

T1027.009 Embedded Payloads

Adversaries may embed payloads within other files to conceal malicious content from defenses. Otherwise seemingly benign files (such as scripts and executables) may be abused to carry and obfuscate malicious payloads and content. In some cases, embedded payloads may also enable adversaries to Subvert Trust Controls by not impacting execution controls such as digital signatures and notarization tickets.7

Adversaries may embed payloads in various file formats to hide payloads.5 This is similar to Steganography, though does not involve weaving malicious content into specific bytes and patterns related to legitimate digital media formats.1

For example, adversaries have been observed embedding payloads within or as an overlay of an otherwise benign binary.4 Adversaries have also been observed nesting payloads (such as executables and run-only scripts) inside a file of the same format.6

Embedded content may also be used as Process Injection payloads used to infect benign system processes.3 These embedded then injected payloads may be used as part of the modules of malware designed to provide specific features such as encrypting C2 communications in support of an orchestrator module. For example, an embedded module may be injected into default browsers, allowing adversaries to then communicate via the network.2

Item Value
ID T1027.009
Sub-techniques T1027.001, T1027.002, T1027.003, T1027.004, T1027.005, T1027.006, T1027.007, T1027.008, T1027.009, T1027.010, T1027.011
Tactics TA0005
Platforms Linux, Windows, macOS
Version 1.0
Created 30 September 2022
Last Modified 21 October 2022

Procedure Examples

ID Name Description
C0021 C0021 For C0021, the threat actors embedded a base64-encoded payload within a LNK file.15
S0126 ComRAT ComRAT has embedded a XOR encrypted communications module inside the orchestrator module.1110
S1052 DEADEYE
The DEADEYE.EMBED variant of DEADEYE has the ability to embed payloads inside of a compiled binary.13
S0567 Dtrack Dtrack has used a dropper that embeds an encrypted payload as extra data.9
S0231 Invoke-PSImage Invoke-PSImage can be used to embed payload data within a new image file.1
S1048 macOS.OSAMiner macOS.OSAMiner has embedded Stripped Payloads within another run-only Stripped Payloads.6
S0457 Netwalker Netwalker‘s DLL has been embedded within the PowerShell script in hex format.12
S0649 SMOKEDHAM The SMOKEDHAM source code is embedded in the dropper as an encrypted string.14

Mitigations

ID Mitigation Description
M1049 Antivirus/Antimalware Anti-virus can be used to automatically detect and quarantine suspicious files.
M1040 Behavior Prevention on Endpoint On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent execution of potentially obfuscated scripts.8

Detection

ID Data Source Data Component
DS0022 File File Creation

References

  1. Barrett Adams . (n.d.). Invoke-PSImage . Retrieved September 30, 2022. 

  2. CISA. (2020, October 29). Malware Analysis Report (AR20-303A) MAR-10310246-2.v1 – PowerShell Script: ComRAT. Retrieved September 30, 2022. 

  3. Karen Victor. (2020, May 18). Reflective Loading Runs Netwalker Fileless Ransomware. Retrieved September 30, 2022. 

  4. KONSTANTIN ZYKOV. (2019, September 23). Hello! My name is Dtrack. Retrieved September 30, 2022. 

  5. Microsoft. (2021, April 6). 2.5 ExtraData. Retrieved September 30, 2022. 

  6. Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts. Retrieved September 29, 2022. 

  7. Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts. Retrieved September 30, 2022. 

  8. Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021. 

  9. Konstantin Zykov. (2019, September 23). Hello! My name is Dtrack. Retrieved January 20, 2021. 

  10. CISA. (2020, October 29). Malware Analysis Report (AR20-303A). Retrieved December 9, 2020. 

  11. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020. 

  12. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020. 

  13. Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022. 

  14. FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise. Retrieved September 22, 2021. 

  15. Microsoft Defender Research Team. (2018, December 3). Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers. Retrieved April 15, 2019.