Obfuscated Files or Information: Встроенные полезные нагрузки
Other sub-techniques of Obfuscated Files or Information (9)
Adversaries may embed payloads within other files to conceal malicious content from defenses. Otherwise seemingly benign files (such as scripts and executables) may be abused to carry and obfuscate malicious payloads and content. In some cases, embedded payloads may also enable adversaries to Subvert Trust Controls by not impacting execution controls such as digital signatures and notarization tickets.(Citation: Sentinel Labs) Adversaries may embed payloads in various file formats to hide payloads.(Citation: Microsoft Learn) This is similar to Steganography, though does not involve weaving malicious content into specific bytes and patterns related to legitimate digital media formats.(Citation: GitHub PSImage) For example, adversaries have been observed embedding payloads within or as an overlay of an otherwise benign binary.(Citation: Securelist Dtrack2) Adversaries have also been observed nesting payloads (such as executables and run-only scripts) inside a file of the same format.(Citation: SentinelLabs reversing run-only applescripts 2021) Embedded content may also be used as Process Injection payloads used to infect benign system processes.(Citation: Trend Micro) These embedded then injected payloads may be used as part of the modules of malware designed to provide specific features such as encrypting C2 communications in support of an orchestrator module. For example, an embedded module may be injected into default browsers, allowing adversaries to then communicate via the network.(Citation: Malware Analysis Report ComRAT)
Примеры процедур |
|
| Название | Описание |
|---|---|
| macOS.OSAMiner |
macOS.OSAMiner has embedded Stripped Payloads within another run-only Stripped Payloads.(Citation: SentinelLabs reversing run-only applescripts 2021) |
| Dtrack |
Dtrack has used a dropper that embeds an encrypted payload as extra data.(Citation: Securelist Dtrack) |
| SMOKEDHAM |
The SMOKEDHAM source code is embedded in the dropper as an encrypted string.(Citation: FireEye SMOKEDHAM June 2021) |
| ComRAT |
ComRAT has embedded a XOR encrypted communications module inside the orchestrator module.(Citation: ESET ComRAT May 2020)(Citation: CISA ComRAT Oct 2020) |
| Invoke-PSImage |
Invoke-PSImage can be used to embed payload data within a new image file.(Citation: GitHub PSImage) |
Контрмеры |
|
| Контрмера | Описание |
|---|---|
| Antivirus/Antimalware |
Use signatures or heuristics to detect malicious software. |
| Behavior Prevention on Endpoint |
Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior. |
Ссылки
- Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts. Retrieved September 30, 2022.
- Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts. Retrieved September 29, 2022.
- Microsoft. (2021, April 6). 2.5 ExtraData. Retrieved September 30, 2022.
- KONSTANTIN ZYKOV. (2019, September 23). Hello! My name is Dtrack. Retrieved September 30, 2022.
- Karen Victor. (2020, May 18). Reflective Loading Runs Netwalker Fileless Ransomware. Retrieved September 30, 2022.
- CISA. (2020, October 29). Malware Analysis Report (AR20-303A) MAR-10310246-2.v1 – PowerShell Script: ComRAT. Retrieved September 30, 2022.
- Barrett Adams . (n.d.). Invoke-PSImage . Retrieved September 30, 2022.
- Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
- CISA. (2020, October 29). Malware Analysis Report (AR20-303A). Retrieved December 9, 2020.
- Barrett Adams. (n.d.). Invoke-PSImage . Retrieved September 30, 2022.
- Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021.
- FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise. Retrieved September 22, 2021.
- Konstantin Zykov. (2019, September 23). Hello! My name is Dtrack. Retrieved January 20, 2021.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.