T1027.014 Polymorphic Code
Adversaries may utilize polymorphic code (also known as metamorphic or mutating code) to evade detection. Polymorphic code is a type of software capable of changing its runtime footprint during code execution.1 With each execution of the software, the code is mutated into a different version of itself that achieves the same purpose or objective as the original. This functionality enables the malware to evade traditional signature-based defenses, such as antivirus and antimalware tools.2 Other obfuscation techniques can be used in conjunction with polymorphic code to accomplish the intended effects, including using mutation engines to conduct actions such as Software Packing, Command Obfuscation, or Encrypted/Encoded File.43
| Item | Value |
|---|---|
| ID | T1027.014 |
| Sub-techniques | T1027.001, T1027.002, T1027.003, T1027.004, T1027.005, T1027.006, T1027.007, T1027.008, T1027.009, T1027.010, T1027.011, T1027.012, T1027.013, T1027.014, T1027.015, T1027.016, T1027.017 |
| Tactics | TA0005 |
| Platforms | Linux, Windows, macOS |
| Version | 1.1 |
| Created | 27 September 2024 |
| Last Modified | 15 April 2025 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0574 | BendyBear | BendyBear changes its runtime footprint during code execution to evade signature-based defenses.5 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1049 | Antivirus/Antimalware | Anti-virus can be used to automatically detect and quarantine suspicious files. Employment of advanced anti-malware techniques that make use of technologies like machine learning and behavior-based mechanisms to conduct signature-less malware detection will also be more effective than traditional indicator-based detection methods. |
| M1040 | Behavior Prevention on Endpoint | On Windows 10+, enable Attack Surface Reduction (ASR) rules to prevent execution of potentially obfuscated payloads |
References
-
Blackberry. (n.d.). What is Polymorphic Malware?. Retrieved September 27, 2024. ↩
-
SentinelOne. (2023, March 18). What is Polymorphic Malware? Examples and Challenges. Retrieved September 27, 2024. ↩
-
Shellseekercyber. (2024, January 7). Explainer: Packed Malware. Retrieved September 27, 2024. ↩
-
Sherwin Akshay. (2024, May 28). Techniques for concealing malware and hindering analysis: Packing up and unpacking stuff. Retrieved September 27, 2024. ↩
-
Harbison, M. (2021, February 9). BendyBear: Novel Chinese Shellcode Linked With Cyber Espionage Group BlackTech. Retrieved February 16, 2021. ↩