Automated Exfiltration
Sub-techniques (1)
ID | Name |
---|---|
.001 | Traffic Duplication |
Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.(Citation: ESET Gamaredon June 2020) When automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as Exfiltration Over C2 Channel and Exfiltration Over Alternative Protocol.
Procedure Examples |
|
Name | Description |
---|---|
StrongPity |
StrongPity can automatically exfiltrate collected documents to the C2 server.(Citation: Talos Promethium June 2020)(Citation: Bitdefender StrongPity June 2020) |
LightNeuron |
LightNeuron can be configured to automatically exfiltrate files under a specified directory.(Citation: ESET LightNeuron May 2019) |
During Frankenstein, the threat actors collected information via Empire, which was automatically sent back to the adversary's C2.(Citation: Talos Frankenstein June 2019) |
|
Frankenstein |
Frankenstein has collected information via Empire, which is automatically sent the data back to the adversary's C2.(Citation: Talos Frankenstein June 2019) |
Sidewinder |
Sidewinder has configured tools to automatically send collected files to attacker controlled servers.(Citation: ATT Sidewinder January 2021) |
Empire |
Empire has the ability to automatically send collected data back to the threat actors' C2.(Citation: Talos Frankenstein June 2019) |
Doki |
Doki has used a script that gathers information from a hardcoded list of IP addresses and uploads to an Ngrok URL.(Citation: Intezer Doki July 20) |
Rover |
Rover automatically searches for files on local drives based on a predefined list of file extensions and sends them to the command and control server every 60 minutes. Rover also automatically sends keylogger files and screenshots to the C2 server on a regular timeframe.(Citation: Palo Alto Rover) |
OutSteel |
OutSteel can automatically upload collected files to its C2 server.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ) |
Peppy |
Peppy has the ability to automatically exfiltrate files and keylogs.(Citation: Proofpoint Operation Transparent Tribe March 2016) |
Machete |
Machete’s collected files are exfiltrated automatically to remote servers.(Citation: ESET Machete July 2019) |
Ebury |
If credentials are not collected for two weeks, Ebury encrypts the credentials using a public key and sends them via UDP to an IP address located in the DNS TXT record.(Citation: ESET Windigo Mar 2014)(Citation: ESET Ebury May 2024) |
Raccoon Stealer |
Raccoon Stealer will automatically collect and exfiltrate data identified in received configuration files from command and control nodes.(Citation: S2W Racoon 2022)(Citation: Sekoia Raccoon1 2022)(Citation: Sekoia Raccoon2 2022) |
Ke3chang |
Ke3chang has performed frequent and scheduled data exfiltration from compromised networks.(Citation: Microsoft NICKEL December 2021) |
RedCurl |
RedCurl has used batch scripts to exfiltrate data.(Citation: group-ib_redcurl1)(Citation: group-ib_redcurl2) |
TajMahal |
TajMahal has the ability to manage an automated queue of egress files and commands sent to its C2.(Citation: Kaspersky TajMahal April 2019) |
Winter Vivern |
Winter Vivern delivered a PowerShell script capable of recursively scanning victim machines looking for various file types before exfiltrating identified files via HTTP.(Citation: CERT-UA WinterVivern 2023) |
Honeybee |
Honeybee performs data exfiltration is accomplished through the following command-line command: |
USBStealer |
USBStealer automatically exfiltrates collected files via removable media when an infected device connects to an air-gapped victim machine after initially being connected to an internet-enabled victim machine. (Citation: ESET Sednit USBStealer 2014) |
Crutch |
Crutch has automatically exfiltrated stolen files to Dropbox.(Citation: ESET Crutch December 2020) |
Tropic Trooper |
Tropic Trooper has used a copy function to automatically exfiltrate sensitive data from air-gapped systems using USB storage.(Citation: TrendMicro Tropic Trooper May 2020) |
Gamaredon Group |
Gamaredon Group has used modules that automatically upload gathered documents to the C2 server.(Citation: ESET Gamaredon June 2020) |
ShimRatReporter |
ShimRatReporter sent collected system and network information compiled into a report to an adversary-controlled C2.(Citation: FOX-IT May 2016 Mofang) |
CosmicDuke |
CosmicDuke exfiltrates collected files automatically over FTP to remote servers.(Citation: F-Secure Cosmicduke) |
Attor |
Attor has a file uploader plugin that automatically exfiltrates the collected data and log files to the C2 server.(Citation: ESET Attor Oct 2019) |
TINYTYPHON |
When a document is found matching one of the extensions in the configuration, TINYTYPHON uploads it to the C2 server.(Citation: Forcepoint Monsoon) |
Mitigations |
|
Mitigation | Description |
---|---|
Automated Exfiltration Mitigation |
Identify unnecessary system utilities, scripts, or potentially malicious software that may be used to transfer data outside of a network, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP) |
Detection
Monitor process file access patterns and network behavior. Unrecognized processes or scripts that appear to be traversing file systems and sending network traffic may be suspicious.
References
- Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.
- Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
- Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.
- Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.
- Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020.
- Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.
- Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021.
- Fishbein, N., Kajiloti, M.. (2020, July 28). Watch Your Containers: Doki Infecting Docker Servers in the Cloud. Retrieved March 30, 2021.
- Ray, V., Hayashi, K. (2016, February 29). New Malware ‘Rover’ Targets Indian Ambassador to Afghanistan. Retrieved February 29, 2016.
- Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.
- Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
- ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
- Marc-Etienne M.Léveillé. (2024, May 1). Ebury is alive but unseen. Retrieved May 21, 2024.
- Bilodeau, O., Bureau, M., Calvet, J., Dorais-Joncas, A., Léveillé, M., Vanheuverzwijn, B. (2014, March 18). Operation Windigo – the vivisection of a large Linux server‑side credential‑stealing malware campaign. Retrieved February 10, 2021.
- S2W TALON. (2022, June 16). Raccoon Stealer is Back with a New Version. Retrieved August 1, 2024.
- Quentin Bourgue, Pierre le Bourhis, & Sekoia TDR. (2022, June 28). Raccoon Stealer v2 - Part 1: The return of the dead. Retrieved August 1, 2024.
- Pierre Le Bourhis, Quentin Bourgue, & Sekoia TDR. (2022, June 29). Raccoon Stealer v2 - Part 2: In-depth analysis. Retrieved August 1, 2024.
- MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022.
- Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024.
- Group-IB. (2020, August). RedCurl: The Pentest You Didn’t Know About. Retrieved August 9, 2024.
- GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019.
- CERT-UA. (2023, February 1). UAC-0114 aka Winter Vivern to target Ukrainian and Polish GOV entities (CERT-UA#5909). Retrieved July 29, 2024.
- Calvet, J. (2014, November 11). Sednit Espionage Group Attacking Air-Gapped Networks. Retrieved January 4, 2017.
- Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020.
- Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
- Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
- F-Secure Labs. (2014, July). COSMICDUKE Cosmu with a twist of MiniDuke. Retrieved July 3, 2014.
- Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
- Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.