T1560.002 Archive via Library
An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party libraries. Many libraries exist that can archive data, including Python rarfile 1, libzip 2, and zlib 3. Most libraries include functionality to encrypt and/or compress data.
Some archival libraries are preinstalled on systems, such as bzip2 on macOS and Linux, and zip on Windows. Note that the libraries are different from the utilities. The libraries can be linked against when compiling, while the utilities require spawning a subshell, or a similar execution mechanism.
Item | Value |
---|---|
ID | T1560.002 |
Sub-techniques | T1560.001, T1560.002, T1560.003 |
Tactics | TA0009 |
Platforms | Linux, Windows, macOS |
Version | 1.0 |
Created | 20 February 2020 |
Last Modified | 29 March 2020 |
Procedure Examples
ID | Name | Description |
---|---|---|
S0642 | BADFLICK | BADFLICK has compressed data using the aPLib compression library.7 |
S0127 | BBSRAT | BBSRAT can compress data with ZLIB prior to sending it back to the C2 server.11 |
S0348 | Cardinal RAT | Cardinal RAT applies compression to C2 traffic using the ZLIB library.10 |
S0354 | Denis | Denis compressed collected data using zlib.5 |
S0091 | Epic | Epic compresses the collected data with bzip2 before sending it to the C2 server.9 |
S0661 | FoggyWeb | FoggyWeb can invoke the Common.Compress method to compress data with the C# GZipStream compression class.15 |
S1044 | FunnyDream | FunnyDream has compressed collected files with zLib.8 |
S0260 | InvisiMole | InvisiMole can use zlib to compress and decompress data.1213 |
G0032 | Lazarus Group | Lazarus Group malware IndiaIndia saves information gathered about the victim to a file that is compressed with Zlib, encrypted, and uploaded to a C2 server.1819 |
S0053 | SeaDuke | SeaDuke compressed data with zlib prior to sending it over C2.16 |
S0467 | TajMahal | TajMahal has the ability to use the open source libraries XZip/Xunzip and zlib to compress files.6 |
G0027 | Threat Group-3390 | Threat Group-3390 has used RAR to compress, encrypt, and password-protect files prior to exfiltration.17 |
S0086 | ZLib | The ZLib backdoor compresses communications using the standard Zlib compression library.14 |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0022 | File | File Creation |
DS0012 | Script | Script Execution |
References
-
D. Baron, T. Klausner. (2020). libzip. Retrieved February 20, 2020. ↩
-
Wikipedia. (2016, March 31). List of file signatures. Retrieved April 22, 2016. ↩
-
Shulmin, A., Yunakovsky, S. (2017, April 28). Use of DNS Tunneling for C&C Communications. Retrieved November 5, 2018. ↩
-
GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019. ↩
-
Accenture iDefense Unit. (2019, March 5). Mudcarp’s Focus on Submarine Technologies. Retrieved August 24, 2021. ↩
-
Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022. ↩
-
Kaspersky Lab’s Global Research & Analysis Team. (2014, August 06). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroboros. Retrieved November 7, 2018. ↩
-
Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018. ↩
-
Lee, B. Grunzweig, J. (2015, December 22). BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger. Retrieved August 19, 2016. ↩
-
Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018. ↩
-
Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020. ↩
-
Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021. ↩
-
Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021. ↩
-
Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved October 4, 2016. ↩
-
Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017. ↩
-
Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016. ↩
-
Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018. ↩