Data Obfuscation: Мусорные данные
Other sub-techniques of Data Obfuscation (3)
Adversaries may add junk data to protocols used for command and control to make detection more difficult.(Citation: FireEye SUNBURST Backdoor December 2020) By adding random or meaningless data to the protocols used for command and control, adversaries can prevent trivial methods for decoding, deciphering, or otherwise analyzing the traffic. Examples may include appending/prepending data with junk characters or writing junk characters between significant characters.
Примеры процедур |
|
Название | Описание |
---|---|
P2P ZeuS |
P2P ZeuS added junk data to outgoing UDP packets to peer implants.(Citation: Dell P2P ZeuS) |
Downdelph |
Downdelph inserts pseudo-random characters between each original character during encoding of C2 network requests, making it difficult to write signatures on them.(Citation: ESET Sednit Part 3) |
Mori |
Mori has obfuscated the FML.dll with 200MB of junk data.(Citation: DHS CISA AA22-055A MuddyWater February 2022) |
BendyBear |
BendyBear has used byte randomization to obscure its behavior.(Citation: Unit42 BendyBear Feb 2021) |
TrailBlazer |
TrailBlazer has used random identifier strings to obscure its C2 operations and result codes.(Citation: CrowdStrike StellarParticle January 2022) |
Uroburos |
Uroburos can add extra characters in encoded strings to help mimic DNS legitimate requests.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023) |
P8RAT |
P8RAT can send randomly-generated data as part of its C2 communication.(Citation: Securelist APT10 March 2021) |
PLEAD |
PLEAD samples were found to be highly obfuscated with junk code.(Citation: ESET PLEAD Malware July 2018)(Citation: TrendMicro BlackTech June 2017) |
Kevin |
Kevin can generate a sequence of dummy HTTP C2 requests to obscure traffic.(Citation: Kaspersky Lyceum October 2021) |
GoldMax |
GoldMax has used decoy traffic to surround its malicious network traffic to avoid detection.(Citation: MSTIC NOBELIUM Mar 2021) |
SUNBURST |
SUNBURST added junk bytes to its C2 over HTTP.(Citation: FireEye SUNBURST Backdoor December 2020) |
Turian |
Turian can insert pseudo-random characters into its network encryption setup.(Citation: ESET BackdoorDiplomacy Jun 2021) |
GrimAgent |
GrimAgent can pad C2 messages with random generated values.(Citation: Group IB GrimAgent July 2021) |
APT28 |
APT28 added "junk data" to each encoded string, preventing trivial decoding without knowledge of the junk removal algorithm. Each implant was given a "junk length" value when created, tracked by the controller software to allow seamless communication but prevent analysis of the command protocol on the wire.(Citation: FireEye APT28) |
WellMess |
WellMess can use junk data in the Base64 string for additional obfuscation.(Citation: CISA WellMess July 2020) |
Контрмеры |
|
Контрмера | Описание |
---|---|
Network Intrusion Prevention |
Use intrusion detection signatures to block traffic at network boundaries. |
Обнаружение
Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)
Ссылки
- SecureWorks. (2012). The Lifecycle of Peer-to-Peer (Gameover) ZeuS. Retrieved August 19, 2015.
- Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
- FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
- ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.
- FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.
- Harbison, M. (2021, February 9). BendyBear: Novel Chinese Shellcode Linked With Cyber Espionage Group BlackTech. Retrieved February 16, 2021.
- CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.
- FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023.
- GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021.
- Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech’s Cyber Espionage Campaigns. Retrieved May 5, 2020.
- Cherepanov, A.. (2018, July 9). Certificates stolen from Taiwanese tech‑companies misused in Plead malware campaign. Retrieved May 6, 2020.
- Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022.
- Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
- Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021
- Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved September 19, 2024.
- FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
- CISA. (2020, July 16). MAR-10296782-2.v1 – WELLMESS. Retrieved September 24, 2020.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.