T1532 Archive Collected Data
Adversaries may compress and/or encrypt data that is collected prior to exfiltration. Compressing data can help to obfuscate its contents and minimize use of network resources. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Both compression and encryption are done prior to exfiltration, and can be performed using a utility, programming library, or custom algorithm.
| Item | Value |
|---|---|
| ID | T1532 |
| Sub-techniques | |
| Tactics | TA0035 |
| Platforms | Android, iOS |
| Version | 2.0 |
| Created | 10 October 2019 |
| Last Modified | 01 April 2022 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0422 | Anubis | Anubis exfiltrates data encrypted (with RC4) by its ransomware module.7 |
| S0540 | Asacub | Asacub has encrypted C2 communications using Base64-encoded RC4.6 |
| S0505 | Desert Scorpion | Desert Scorpion can encrypt exfiltrated data.4 |
| S0405 | Exodus | Exodus One encrypts data using XOR prior to exfiltration.2 |
| S0577 | FrozenCell | FrozenCell has compressed and encrypted data before exfiltration using password protected .7z archives.1 |
| S0535 | Golden Cup | Golden Cup has encrypted exfiltrated data using AES in ECB mode.8 |
| S0421 | GolfSpy | GolfSpy encrypts data using a simple XOR operation with a pre-configured key prior to exfiltration.3 |
| S0424 | Triada | Triada encrypts data prior to exfiltration.5 |
References
-
Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020. ↩
-
Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019. ↩
-
E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020. ↩
-
A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020. ↩
-
Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019. ↩
-
T. Shishkova. (2018, August 28). The rise of mobile banker Asacub. Retrieved December 14, 2020. ↩
-
M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020. ↩
-
R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020. ↩