T1560 Archive Collected Data
An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Both compression and encryption are done prior to exfiltration, and can be performed using a utility, 3rd party library, or custom method.
Item | Value |
---|---|
ID | T1560 |
Sub-techniques | T1560.001, T1560.002, T1560.003 |
Tactics | TA0009 |
Platforms | Linux, Windows, macOS |
Version | 1.0 |
Created | 20 February 2020 |
Last Modified | 04 January 2022 |
Procedure Examples
ID | Name | Description |
---|---|---|
S0045 | ADVSTORESHELL | ADVSTORESHELL encrypts with the 3DES algorithm and a hardcoded key prior to exfiltration.20 |
S0331 | Agent Tesla | Agent Tesla can encrypt data with 3DES before sending it over to a C2 server.16 |
S0622 | AppleSeed | AppleSeed has compressed collected data before exfiltration.39 |
G0007 | APT28 | APT28 used a publicly available tool to gather and compress multiple documents on the DCCC and DNC networks.44 |
G0050 | APT32 | APT32‘s backdoor has used LZMA compression and RC4 encryption before exfiltration.45 |
S0456 | Aria-body | Aria-body has used ZIP to compress data gathered on a compromised host.30 |
G0001 | Axiom | Axiom has compressed and encrypted data prior to exfiltration.42 |
S0093 | Backdoor.Oldrea | Backdoor.Oldrea writes collected data to a temporary file in an encrypted form before exfiltration to a C2 server.36 |
S0521 | BloodHound | BloodHound can compress data collected by its SharpHound ingestor into a ZIP file to be written to disk.43 |
S0657 | BLUELIGHT | BLUELIGHT can zip files before exfiltration.23 |
S1039 | Bumblebee | Bumblebee can compress data stolen from the Registry and volume shadow copies prior to exfiltration.17 |
S0454 | Cadelspy | Cadelspy has the ability to compress stolen data into a .cab file.26 |
S0667 | Chrommme | Chrommme can encrypt and store on disk collected data before exfiltration.40 |
S0187 | Daserf | Daserf hides collected data in password-protected .rar archives.31 |
G0035 | Dragonfly | Dragonfly has compressed data into .zip files prior to exfiltration.55 |
S0567 | Dtrack | Dtrack packs collected data into a password protected archive.41 |
S0367 | Emotet | Emotet has been observed encrypting the data it collects before sending it to the C2 server. 7 |
S0363 | Empire | Empire can ZIP directories on the target system.2 |
S0091 | Epic | Epic encrypts collected data using a public key framework before sending it over the C2 channel.37 Some variants encrypt the collected data with AES and encode it with base64 before transmitting it to the C2 server.38 |
S0343 | Exaramel for Windows | Exaramel for Windows automatically encrypts files before sending them to the C2 server.13 |
S0267 | FELIXROOT | FELIXROOT encrypts collected data with AES and Base64 and then sends it to the C2 server.11 |
G0037 | FIN6 | Following data collection, FIN6 has compressed log files into a ZIP archive prior to staging and exfiltration.53 |
S0249 | Gold Dragon | Gold Dragon encrypts data using Base64 before being sent to the command and control server.8 |
G0004 | Ke3chang | The Ke3chang group has been known to compress data before exfiltration.52 |
S0487 | Kessel | Kessel can RC4-encrypt credentials before sending to the C2.15 |
S0356 | KONNI | KONNI has encrypted data and files prior to exfiltration.21 |
G0032 | Lazarus Group | Lazarus Group has compressed exfiltrated data with RAR and used RomeoDelta malware to archive specified directories in .zip format, encrypt the .zip file, and upload it to C2. 495051 |
G0065 | Leviathan | Leviathan has archived victim’s data prior to exfiltration.46 |
S0395 | LightNeuron | LightNeuron contains a function to encrypt and store emails that it collects.9 |
S0681 | Lizar | Lizar has encrypted data before sending it to the server.14 |
G1014 | LuminousMoth | LuminousMoth has manually archived stolen files from victim machines before exfiltration.54 |
S0010 | Lurid | Lurid can compress data before sending it.10 |
S0409 | Machete | Machete stores zipped files with profile data from installed web browsers.29 |
G0045 | menuPass | menuPass has encrypted files and information before exfiltration.4748 |
S0198 | NETWIRE | NETWIRE has the ability to compress archived screenshots.12 |
G0040 | Patchwork | Patchwork encrypted the collected files’ path with AES and then encoded them with base64.43 |
S0517 | Pillowmint | Pillowmint has encrypted stolen credit card information with AES and further encoded it with Base64.27 |
S1012 | PowerLess | PowerLess can encrypt browser database files prior to exfiltration.18 |
S0113 | Prikormka | After collecting documents from removable media, Prikormka compresses the collected files, and encrypts it with Blowfish.28 |
S0279 | Proton | Proton zips up files before exfiltrating them.25 |
S0375 | Remexi | Remexi encrypts and adds all gathered browser data into files for upload to C2.6 |
S0253 | RunningRAT | RunningRAT contains code to compress files.8 |
S0445 | ShimRatReporter | ShimRatReporter used LZ compression to compress initial reconnaissance reports before sending to the C2.5 |
S0586 | TAINTEDSCRIBE | TAINTEDSCRIBE has used FileReadZipSend to compress a file and send to C2.22 |
S0257 | VERMIN | VERMIN encrypts the collected files using 3-DES.19 |
S0515 | WellMail | WellMail can archive files on the compromised host.35 |
S0658 | XCSSET | XCSSET will compress entire ~/Desktop folders excluding all .git folders, but only if the total data size is under 200MB.24 |
S0251 | Zebrocy | Zebrocy has used a method similar to RC4 as well as AES for encryption and hexadecimal for encoding data before exfiltration. 323334 |
Mitigations
ID | Mitigation | Description |
---|---|---|
M1047 | Audit | System scans can be performed to identify unauthorized archival utilities. |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0017 | Command | Command Execution |
DS0022 | File | File Creation |
DS0009 | Process | Process Creation |
DS0012 | Script | Script Execution |
References
-
Wikipedia. (2016, March 31). List of file signatures. Retrieved April 22, 2016. ↩
-
Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016. ↩
-
Kenefick, I. et al. (2022, October 12). Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike. Retrieved February 6, 2023. ↩
-
Robbins, A., Vazarkar, R., and Schroeder, W. (2016, April 17). Bloodhound: Six Degrees of Domain Admin. Retrieved March 5, 2019. ↩
-
Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020. ↩
-
Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019. ↩
-
Xiaopeng Zhang. (2017, May 3). Deep Analysis of New Emotet Variant – Part 1. Retrieved April 1, 2019. ↩
-
Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018. ↩↩
-
Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019. ↩
-
Villeneuve, N., Sancho, D. (2011). THE “LURID” DOWNLOADER. Retrieved November 12, 2014. ↩
-
Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved July 31, 2018. ↩
-
Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021. ↩
-
Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018. ↩
-
BI.ZONE Cyber Threats Research Team. (2021, May 13). From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker’s toolkit. Retrieved February 2, 2022. ↩
-
Dumont, R., M.Léveillé, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020. ↩
-
Brumaghin, E., et al. (2018, October 15). Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox. Retrieved November 5, 2018. ↩
-
Cybereason. (2022, August 17). Bumblebee Loader – The High Road to Enterprise Domain Control. Retrieved August 29, 2022. ↩
-
Cybereason Nocturnus. (2022, February 1). PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage. Retrieved June 1, 2022. ↩
-
Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018. ↩
-
ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016. ↩
-
Threat Intelligence Team. (2021, August 23). New variant of Konni malware used in campaign targetting Russia. Retrieved January 5, 2022. ↩
-
USG. (2020, May 12). MAR-10288834-2.v1 – North Korean Trojan: TAINTEDSCRIBE. Retrieved March 5, 2021. ↩
-
Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021. ↩
-
Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021. ↩
-
Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018. ↩
-
Symantec Security Response. (2015, December 7). Iran-based attackers use back door threats to spy on Middle Eastern targets. Retrieved April 17, 2019. ↩
-
Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7’s Monkey Thief . Retrieved July 27, 2020. ↩
-
Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016. ↩
-
ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019. ↩
-
CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020. ↩
-
DiMaggio, J. (2016, April 28). Tick cyberespionage group zeros in on Japan. Retrieved July 16, 2018. ↩
-
Kaspersky Lab’s Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018. ↩
-
ESET. (2018, November 20). Sednit: What’s going on with Zebrocy?. Retrieved February 12, 2019. ↩
-
CISA. (2020, October 29). Malware Analysis Report (AR20-303B). Retrieved December 9, 2020. ↩
-
CISA. (2020, July 16). MAR-10296782-3.v1 – WELLMAIL. Retrieved September 29, 2020. ↩
-
Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016. ↩
-
Kaspersky Lab’s Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014. ↩
-
Kaspersky Lab’s Global Research & Analysis Team. (2014, August 06). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroboros. Retrieved November 7, 2018. ↩
-
KISA. (n.d.). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 7, 2022. ↩
-
Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021. ↩
-
Konstantin Zykov. (2019, September 23). Hello! My name is Dtrack. Retrieved January 20, 2021. ↩
-
Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014. ↩
-
Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018. ↩
-
Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018. ↩
-
Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019. ↩
-
CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021. ↩
-
United States District Court Southern District of New York (USDC SDNY) . (2018, December 17). United States of America v. Zhu Hua and Zhang Shilong. Retrieved April 17, 2019. ↩
-
US District Court Southern District of New York. (2018, December 17). United States v. Zhu Hua Indictment. Retrieved December 17, 2020. ↩
-
Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016. ↩
-
Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016. ↩
-
Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018. ↩
-
Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014. ↩
-
FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016. ↩
-
Botezatu, B and etl. (2021, July 21). LuminousMoth - PlugX, File Exfiltration and Persistence Revisited. Retrieved October 20, 2022. ↩
-
US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018. ↩