Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Техника Добавление в бинарный файл незначащих данных
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Добавление в бинарный файл нез...
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Obfuscated Files or Information:  Добавление в бинарный файл незначащих данных

ID Название
.001 Добавление в бинарный файл незначащих данных
.002 Упаковка ПО
.003 Стеганография
.004 Компиляция после доставки
.005 Удаление индикаторов компрометации из вредоносных инструментов
.006 Скрытая передача через HTML
.007 Динамическое разрешение API
.008 Перевод полезных нагрузок в трудночитаемый формат
.009 Встроенные полезные нагрузки

Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done without affecting the functionality or behavior of a binary, but can increase the size of the binary beyond what some security tools are capable of handling due to file size limitations. Binary padding effectively changes the checksum of the file and can also be used to avoid hash-based blocklists and static anti-virus signatures.(Citation: ESET OceanLotus) The padding used is commonly generated by a function to create junk data and then appended to the end or applied to sections of malware.(Citation: Securelist Malware Tricks April 2017) Increasing the file size may decrease the effectiveness of certain tools and detection capabilities that are not designed or configured to scan large files. This may also reduce the likelihood of being collected for analysis. Public file scanning services, such as VirusTotal, limits the maximum size of an uploaded file to be analyzed.(Citation: VirusTotal FAQ)

ID: T1027.001
Относится к технике:  T1027
Тактика(-и): Defense Evasion
Платформы: Linux, macOS, Windows
Источники данных: File: File Metadata
Версия: 1.2
Дата создания: 05 Feb 2020
Последнее изменение: 15 Oct 2021

Примеры процедур
Название Описание
TAINTEDSCRIBE

TAINTEDSCRIBE can execute FileRecvWriteRand to append random bytes to the end of a file received from C2.(Citation: CISA MAR-10288834-2.v1 TAINTEDSCRIBE MAY 2020)
Maze

Maze has inserted large blocks of junk code, including some components to decrypt strings and other important information for later in the encryption process.(Citation: McAfee Maze March 2020)
XTunnel

A version of XTunnel introduced in July 2015 inserted junk code into the binary in a likely attempt to obfuscate it and bypass security products.(Citation: ESET Sednit Part 2)
Javali

Javali can use large obfuscated libraries to hinder detection and analysis.(Citation: Securelist Brazilian Banking Malware July 2020)
QakBot

QakBot can use large file sizes to evade detection.(Citation: Trend Micro Qakbot May 2020)(Citation: Group IB Ransomware September 2020)
Rifdoor

Rifdoor has added four additional bytes of data upon launching, then saved the changed version as C:\ProgramData\Initech\Initech.exe.(Citation: Carbon Black HotCroissant April 2020)
Gamaredon Group

Gamaredon Group has obfuscated .NET executables by inserting junk code.(Citation: ESET Gamaredon June 2020)

yty

yty contains junk code in its binary, likely to confuse malware analysts.(Citation: ASERT Donot March 2018)
Leviathan

Leviathan has inserted garbage characters into code, presumably to avoid anti-virus detection.(Citation: Proofpoint Leviathan Oct 2017)
ZeroT

ZeroT has obfuscated DLLs and functions using dummy API calls inserted between real instructions.(Citation: Proofpoint ZeroT Feb 2017)
SamSam

SamSam has used garbage code to pad some of its malware components.(Citation: Sophos SamSam Apr 2018)
Grandoreiro

Grandoreiro has added BMP images to the resources section of its Portable Executable (PE) file increasing each binary to at least 300MB in size.(Citation: ESET Grandoreiro April 2020)
APT29

APT29 has used large file sizes to avoid detection.(Citation: SentinelOne NobleBaron June 2021)
Moafee

Moafee has been known to employ binary padding.(Citation: Haq 2014)
CostaBricks

CostaBricks has added the entire unobfuscated code of the legitimate open source application Blink to its code.(Citation: BlackBerry CostaRicto November 2020)
Bisonal

Bisonal has appended random binary data to the end of itself to generate a large binary.(Citation: Talos Bisonal Mar 2020)

Higaisa

Higaisa performed padding with null bytes before calculating its hash.(Citation: Zscaler Higaisa 2020)
WastedLocker

WastedLocker contains junk code to increase its entropy and hide the actual code.(Citation: NCC Group WastedLocker June 2020)
Kwampirs

Before writing to disk, Kwampirs inserts a randomly generated string into the middle of the decrypted payload in an attempt to evade hash-based detections.(Citation: Symantec Orangeworm April 2018)
CORESHELL

CORESHELL contains unused machine instructions in a likely attempt to hinder analysis.(Citation: FireEye APT28)
FinFisher

FinFisher contains junk code in its functions in an effort to confuse disassembly programs.(Citation: FinFisher Citation)(Citation: Microsoft FinFisher March 2018)
Patchwork

Patchwork apparently altered NDiskMonitor samples by adding four bytes of random letters in a likely attempt to change the file hashes.(Citation: TrendMicro Patchwork Dec 2017)
Ember Bear

Ember Bear has added extra spaces between JavaScript code characters to increase the overall file size.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )
BRONZE BUTLER

BRONZE BUTLER downloader code has included "0" characters at the end of the file to inflate the file size in a likely attempt to evade anti-virus detection.(Citation: Secureworks BRONZE BUTLER Oct 2017)(Citation: Trend Micro Tick November 2019)
Emissary

A variant of Emissary appends junk data to the end of its DLL file to create a large file that may exceed the maximum size that anti-virus programs can scan.(Citation: Emissary Trojan Feb 2016)
APT32

APT32 includes garbage code to mislead anti-malware software and researchers.(Citation: ESET OceanLotus)(Citation: ESET OceanLotus Mar 2019)
Mustang Panda

Mustang Panda has used junk code within their DLL files to hinder analysis.(Citation: Avira Mustang Panda January 2020)
Gelsemium

Gelsemium can use junk code to hide functions and evade detection.(Citation: ESET Gelsemium June 2021)
Comnie

Comnie appends a total of 64MB of garbage data to a file to deter any security products in place that may be scanning files on disk.(Citation: Palo Alto Comnie)
POWERSTATS

POWERSTATS has used useless code blocks to counter analysis.(Citation: TrendMicro POWERSTATS V3 June 2019)
FatDuke

FatDuke has been packed with junk code and strings.(Citation: ESET Dukes October 2019)
GrimAgent

GrimAgent has the ability to add bytes to change the file hash.(Citation: Group IB GrimAgent July 2021)
Goopy

Goopy has had null characters padded in its malicious DLL payload.(Citation: Cybereason Cobalt Kitty 2017)

Обнаружение

Depending on the method used to pad files, a file-based signature may be capable of detecting padding using a scanning or on-access based tool. When executed, the resulting process from padded files may also exhibit other behavior characteristics of being used to conduct an intrusion such as system and network information Discovery or Lateral Movement, which could be used as event indicators that point to the source file.

Ссылки

  1. VirusTotal. (n.d.). VirusTotal FAQ. Retrieved May 23, 2019.
  2. Ishimaru, S.. (2017, April 13). Old Malware Tricks To Bypass Detection in the Age of Big Data. Retrieved May 30, 2019.
  3. Foltýn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018.
  4. GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020.
  5. Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021.
  6. Mendoza, E. et al. (2020, May 25). Qakbot Resurges, Spreads through VBS Files. Retrieved September 27, 2021.
  7. Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018.
  8. Guerrero-Saade, J. (2021, June 1). NobleBaron | New Poisoned Installers Could Be Used In Supply Chain Attacks. Retrieved August 4, 2021.
  9. Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018.
  10. FinFisher. (n.d.). Retrieved December 20, 2017.
  11. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021.
  12. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
  13. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.
  14. Palotay, D. and Mackenzie, P. (2018, April). SamSam Ransomware Chooses Its Targets Carefully. Retrieved April 15, 2019.
  15. Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021.
  16. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
  17. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.
  18. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  19. USG. (2020, May 12). MAR-10288834-2.v1 – North Korean Trojan: TAINTEDSCRIBE. Retrieved March 5, 2021.
  20. Singh, S. Singh, A. (2020, June 11). The Return on the Higaisa APT. Retrieved March 2, 2021.
  21. Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019.
  22. Grunzweig, J. (2018, January 31). Comnie Continues to Target Organizations in East Asia. Retrieved June 7, 2018.
  23. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.
  24. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  25. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  26. Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018.
  27. Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020.
  28. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  29. Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved July 16, 2021.
  30. Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022.
  31. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  32. Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020.
  33. Falcone, R. and Miller-Osborn, J. (2016, February 3). Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?. Retrieved February 15, 2016.
  34. Haq, T., Moran, N., Scott, M., & Vashisht, S. O. (2014, September 10). The Path to Mass-Producing Cyber Attacks [Blog]. Retrieved November 12, 2014.
  35. Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018.
  36. Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020.
  37. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.
  38. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.
  39. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.