Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Archive Collected Data

An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network.(Citation: DOJ GRU Indictment Jul 2018) Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender. Both compression and encryption are done prior to exfiltration, and can be performed using a utility, 3rd party library, or custom method.

ID: T1560
Sub-techniques:  .001 .002 .003
Tactic(s): Collection
Platforms: Linux, macOS, Windows
Data Sources: Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Version: 1.0
Created: 20 Feb 2020
Last Modified: 20 Jan 2024

Procedure Examples

Name Description
Dragonfly

Dragonfly has compressed data into .zip files prior to exfiltration.(Citation: US-CERT TA18-074A)

Chrommme

Chrommme can encrypt and store on disk collected data before exfiltration.(Citation: ESET Gelsemium June 2021)

Patchwork

Patchwork encrypted the collected files' path with AES and then encoded them with base64.(Citation: TrendMicro Patchwork Dec 2017)

Emotet

Emotet has been observed encrypting the data it collects before sending it to the C2 server. (Citation: Fortinet Emotet May 2017)

Exaramel for Windows

Exaramel for Windows automatically encrypts files before sending them to the C2 server.(Citation: ESET TeleBots Oct 2018)

Honeybee

Honeybee adds collected files to a temp.zip file saved in the %temp% folder, then base64 encodes it and uploads it to control server.(Citation: McAfee Honeybee)

TAINTEDSCRIBE

TAINTEDSCRIBE has used FileReadZipSend to compress a file and send to C2.(Citation: CISA MAR-10288834-2.v1 TAINTEDSCRIBE MAY 2020)

Axiom

Axiom has compressed and encrypted data prior to exfiltration.(Citation: Novetta-Axiom)

LoFiSe

LoFiSe can collect files into password-protected ZIP-archives for exfiltration.(Citation: Kaspersky ToddyCat Check Logs October 2023)

BloodHound

BloodHound can compress data collected by its SharpHound ingestor into a ZIP file to be written to disk.(Citation: GitHub Bloodhound)(Citation: Trend Micro Black Basta October 2022)

ADVSTORESHELL

ADVSTORESHELL encrypts with the 3DES algorithm and a hardcoded key prior to exfiltration.(Citation: ESET Sednit Part 2)

Ember Bear

Ember Bear has compressed collected data prior to exfiltration.(Citation: CISA GRU29155 2024)

Empire

Empire can ZIP directories on the target system.(Citation: Github PowerShell Empire)

Bumblebee

Bumblebee can compress data stolen from the Registry and volume shadow copies prior to exfiltration.(Citation: Cybereason Bumblebee August 2022)

WellMail

WellMail can archive files on the compromised host.(Citation: CISA WellMail July 2020)

Lazarus Group

Lazarus Group has compressed exfiltrated data with RAR and used RomeoDelta malware to archive specified directories in .zip format, encrypt the .zip file, and upload it to C2. (Citation: Novetta Blockbuster Loaders)(Citation: Novetta Blockbuster RATs)(Citation: McAfee Lazarus Resurfaces Feb 2018)

Cadelspy

Cadelspy has the ability to compress stolen data into a .cab file.(Citation: Symantec Chafer Dec 2015)

Spica

Spica can archive collected documents for exfiltration.(Citation: Google TAG COLDRIVER January 2024)

LightNeuron

LightNeuron contains a function to encrypt and store emails that it collects.(Citation: ESET LightNeuron May 2019)

APT28

APT28 used a publicly available tool to gather and compress multiple documents on the DCCC and DNC networks.(Citation: DOJ GRU Indictment Jul 2018)

VERMIN

VERMIN encrypts the collected files using 3-DES.(Citation: Unit 42 VERMIN Jan 2018)

Dragonfly 2.0

Dragonfly 2.0 compressed data into .zip files prior to exfiltrating it.(Citation: US-CERT TA18-074A)

ShimRatReporter

ShimRatReporter used LZ compression to compress initial reconnaissance reports before sending to the C2.(Citation: FOX-IT May 2016 Mofang)

APT32

APT32's backdoor has used LZMA compression and RC4 encryption before exfiltration.(Citation: ESET OceanLotus Mar 2019)

XCSSET

XCSSET will compress entire ~/Desktop folders excluding all .git folders, but only if the total data size is under 200MB.(Citation: trendmicro xcsset xcode project 2020)

Gold Dragon

Gold Dragon encrypts data using Base64 before being sent to the command and control server.(Citation: McAfee Gold Dragon)

KONNI

KONNI has encrypted data and files prior to exfiltration.(Citation: Malwarebytes Konni Aug 2021)

Raccoon Stealer

Raccoon Stealer archives collected system information in a text f ile, `System info.txt`, prior to exfiltration.(Citation: Sekoia Raccoon2 2022)

NETWIRE

NETWIRE has the ability to compress archived screenshots.(Citation: Red Canary NETWIRE January 2020)

PowerLess

PowerLess can encrypt browser database files prior to exfiltration.(Citation: Cybereason PowerLess February 2022)

Epic

Epic encrypts collected data using a public key framework before sending it over the C2 channel.(Citation: Kaspersky Turla) Some variants encrypt the collected data with AES and encode it with base64 before transmitting it to the C2 server.(Citation: Kaspersky Turla Aug 2014)

Kessel

Kessel can RC4-encrypt credentials before sending to the C2.(Citation: ESET ForSSHe December 2018)

Zebrocy

Zebrocy has used a method similar to RC4 as well as AES for encryption and hexadecimal for encoding data before exfiltration. (Citation: Securelist Sofacy Feb 2018)(Citation: ESET Zebrocy Nov 2018)(Citation: CISA Zebrocy Oct 2020)

FIN6

Following data collection, FIN6 has compressed log files into a ZIP archive prior to staging and exfiltration.(Citation: FireEye FIN6 April 2016)

Lurid

Lurid can compress data before sending it.(Citation: Villeneuve 2011)

AppleSeed

AppleSeed has compressed collected data before exfiltration.(Citation: KISA Operation Muzabi)

LuminousMoth

LuminousMoth has manually archived stolen files from victim machines before exfiltration.(Citation: Bitdefender LuminousMoth July 2021)

Backdoor.Oldrea

Backdoor.Oldrea writes collected data to a temporary file in an encrypted form before exfiltration to a C2 server.(Citation: Symantec Dragonfly)

BLUELIGHT

BLUELIGHT can zip files before exfiltration.(Citation: Volexity InkySquid BLUELIGHT August 2021)

FELIXROOT

FELIXROOT encrypts collected data with AES and Base64 and then sends it to the C2 server.(Citation: FireEye FELIXROOT July 2018)

Ke3chang

The Ke3chang group has been known to compress data before exfiltration.(Citation: Mandiant Operation Ke3chang November 2014)

Remexi

Remexi encrypts and adds all gathered browser data into files for upload to C2.(Citation: Securelist Remexi Jan 2019)

RunningRAT

RunningRAT contains code to compress files.(Citation: McAfee Gold Dragon)

Machete

Machete stores zipped files with profile data from installed web browsers.(Citation: ESET Machete July 2019)

Agent Tesla

Agent Tesla can encrypt data with 3DES before sending it over to a C2 server.(Citation: Talos Agent Tesla Oct 2018)

Dtrack

Dtrack packs collected data into a password protected archive.(Citation: Securelist Dtrack)

menuPass

menuPass has encrypted files and information before exfiltration.(Citation: DOJ APT10 Dec 2018)(Citation: District Court of NY APT10 Indictment December 2018)

Daserf

Daserf hides collected data in password-protected .rar archives.(Citation: Symantec Tick Apr 2016)

Leviathan

Leviathan has archived victim's data prior to exfiltration.(Citation: CISA AA21-200A APT40 July 2021)

Proton

Proton zips up files before exfiltrating them.(Citation: objsee mac malware 2017)

Pillowmint

Pillowmint has encrypted stolen credit card information with AES and further encoded it with Base64.(Citation: Trustwave Pillowmint June 2020)

Aria-body

Aria-body has used ZIP to compress data gathered on a compromised host.(Citation: CheckPoint Naikon May 2020)

Prikormka

After collecting documents from removable media, Prikormka compresses the collected files, and encrypts it with Blowfish.(Citation: ESET Operation Groundbait)

Lizar

Lizar has encrypted data before sending it to the server.(Citation: BiZone Lizar May 2021)

Mitigations

Mitigation Description
Audit

Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.

Detection

Archival software and archived files can be detected in many ways. Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known archival utilities. This may yield a significant number of benign events, depending on how systems in the environment are typically used. A process that loads the Windows DLL crypt32.dll may be used to perform encryption, decryption, or verification of file signatures. Consider detecting writing of files with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.(Citation: Wikipedia File Header Signatures)

References

  1. Xiaopeng Zhang. (2017, May 3). Deep Analysis of New Emotet Variant – Part 1. Retrieved April 1, 2019.
  2. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
  3. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  4. Wikipedia. (2016, March 31). List of file signatures. Retrieved April 22, 2016.
  5. Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.
  6. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.
  7. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  8. Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018.
  9. USG. (2020, May 12). MAR-10288834-2.v1 – North Korean Trojan: TAINTEDSCRIBE. Retrieved March 5, 2021.
  10. Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.
  11. Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024.
  12. Robbins, A., Vazarkar, R., and Schroeder, W. (2016, April 17). Bloodhound: Six Degrees of Domain Admin. Retrieved March 5, 2019.
  13. Kenefick, I. et al. (2022, October 12). Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike. Retrieved February 6, 2023.
  14. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  15. US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024.
  16. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  17. Cybereason. (2022, August 17). Bumblebee Loader – The High Road to Enterprise Domain Control. Retrieved August 29, 2022.
  18. CISA. (2020, July 16). MAR-10296782-3.v1 – WELLMAIL. Retrieved September 29, 2020.
  19. Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018.
  20. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016.
  21. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016.
  22. Symantec Security Response. (2015, December 7). Iran-based attackers use back door threats to spy on Middle Eastern targets. Retrieved April 17, 2019.
  23. Shields, W. (2024, January 18). Russian threat group COLDRIVER expands its targeting of Western officials to include the use of malware. Retrieved June 13, 2024.
  24. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.
  25. Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018.
  26. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
  27. Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019.
  28. Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021.
  29. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018.
  30. Threat Intelligence Team. (2021, August 23). New variant of Konni malware used in campaign targetting Russia. Retrieved January 5, 2022.
  31. Pierre Le Bourhis, Quentin Bourgue, & Sekoia TDR. (2022, June 29). Raccoon Stealer v2 - Part 2: In-depth analysis. Retrieved August 1, 2024.
  32. Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021.
  33. Cybereason Nocturnus. (2022, February 1). PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage. Retrieved June 1, 2022.
  34. Kaspersky Lab's Global Research & Analysis Team. (2014, August 06). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroboros. Retrieved November 7, 2018.
  35. Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
  36. Dumont, R., M.Léveillé, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020.
  37. CISA. (2020, October 29). Malware Analysis Report (AR20-303B). Retrieved December 9, 2020.
  38. ESET. (2018, November 20). Sednit: What’s going on with Zebrocy?. Retrieved February 12, 2019.
  39. Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018.
  40. FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016.
  41. Villeneuve, N., Sancho, D. (2011). THE “LURID” DOWNLOADER. Retrieved November 12, 2014.
  42. KISA. (2021). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 8, 2024.
  43. Botezatu, B and etl. (2021, July 21). LuminousMoth - PlugX, File Exfiltration and Persistence Revisited. Retrieved October 20, 2022.
  44. Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
  45. Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021.
  46. Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved July 31, 2018.
  47. Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.
  48. Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019.
  49. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
  50. Brumaghin, E., et al. (2018, October 15). Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox. Retrieved November 5, 2018.
  51. Konstantin Zykov. (2019, September 23). Hello! My name is Dtrack. Retrieved January 20, 2021.
  52. US District Court Southern District of New York. (2018, December 17). United States v. Zhu Hua Indictment. Retrieved December 17, 2020.
  53. United States District Court Southern District of New York (USDC SDNY) . (2018, December 17). United States of America v. Zhu Hua and Zhang Shilong. Retrieved April 17, 2019.
  54. DiMaggio, J. (2016, April 28). Tick cyberespionage group zeros in on Japan. Retrieved July 16, 2018.
  55. CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021.
  56. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
  57. Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7’s Monkey Thief . Retrieved July 27, 2020.
  58. CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020.
  59. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
  60. BI.ZONE Cyber Threats Research Team. (2021, May 13). From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker’s toolkit. Retrieved February 2, 2022.

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.