Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Техника Встроенные полезные нагрузки
Сертификаты СЗИ
CVE уязвимости
БДУ ФСТЭК уязвимости
НКЦКИ уязвимости
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Встроенные полезные нагрузки
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Obfuscated Files or Information:  Встроенные полезные нагрузки

ID Название
.001 Добавление в бинарный файл незначащих данных
.002 Упаковка ПО
.003 Стеганография
.004 Компиляция после доставки
.005 Удаление индикаторов компрометации из вредоносных инструментов
.006 Скрытая передача через HTML
.007 Динамическое разрешение API
.008 Перевод полезных нагрузок в трудночитаемый формат
.009 Встроенные полезные нагрузки
.010 Command Obfuscation
.011 Fileless Storage
.012 LNK Icon Smuggling
.013 Encrypted/Encoded File
.014 Polymorphic Code
.015 Compression
.016 Junk Code Insertion
.017 SVG Smuggling

Adversaries may embed payloads within other files to conceal malicious content from defenses. Otherwise seemingly benign files (such as scripts and executables) may be abused to carry and obfuscate malicious payloads and content. In some cases, embedded payloads may also enable adversaries to Subvert Trust Controls by not impacting execution controls such as digital signatures and notarization tickets.(Citation: Sentinel Labs) Adversaries may embed payloads in various file formats to hide payloads.(Citation: Microsoft Learn) This is similar to Steganography, though does not involve weaving malicious content into specific bytes and patterns related to legitimate digital media formats.(Citation: GitHub PSImage) For example, adversaries have been observed embedding payloads within or as an overlay of an otherwise benign binary.(Citation: Securelist Dtrack2) Adversaries have also been observed nesting payloads (such as executables and run-only scripts) inside a file of the same format.(Citation: SentinelLabs reversing run-only applescripts 2021) Embedded content may also be used as Process Injection payloads used to infect benign system processes.(Citation: Trend Micro) These embedded then injected payloads may be used as part of the modules of malware designed to provide specific features such as encrypting C2 communications in support of an orchestrator module. For example, an embedded module may be injected into default browsers, allowing adversaries to then communicate via the network.(Citation: Malware Analysis Report ComRAT)

ID: T1027.009
Относится к технике:  T1027
Тактика(-и): Defense Evasion
Платформы: Linux, macOS, Windows
Источники данных: File: File Creation, File: File Metadata
Версия: 1.2
Дата создания: 30 Sep 2022
Последнее изменение: 15 Apr 2025

Примеры процедур
Название Описание
Moneybird

Moneybird contains a configuration blob embedded in the malware itself.(Citation: CheckPoint Agrius 2023)
DEADEYE

The DEADEYE.EMBED variant of DEADEYE has the ability to embed payloads inside of a compiled binary.(Citation: Mandiant APT41)
Lazarus Group

Lazarus Group has distributed malicious payloads embedded in PNG files.(Citation: Microsoft DiamondSleet 2023)
BADHATCH

BADHATCH has an embedded second stage DLL payload within the first stage of the malware.(Citation: Gigamon BADHATCH Jul 2019)
CHIMNEYSWEEP

CHIMNEYSWEEP can extract RC4 encrypted embedded payloads for privilege escalation.(Citation: Mandiant ROADSWEEP August 2022)
DEADWOOD

DEADWOOD contains an embedded, AES-encrypted payload labeled METADATA that provides configuration information for follow-on execution.(Citation: SentinelOne Agrius 2021)
Emotet

Emotet has dropped an embedded executable at `%Temp%\setup.exe`.(Citation: Binary Defense Emotes Wi-Fi Spreader) Additionally, Emotet may embed entire code into other files.(Citation: emotet_hc3_nov2023)
macOS.OSAMiner

macOS.OSAMiner has embedded Stripped Payloads within another run-only Stripped Payloads.(Citation: SentinelLabs reversing run-only applescripts 2021)
Dtrack

Dtrack has used a dropper that embeds an encrypted payload as extra data.(Citation: Securelist Dtrack)
IcedID

IcedID has embedded malicious functionality in a legitimate DLL file.(Citation: Trendmicro_IcedID)

Netwalker

Netwalker's DLL has been embedded within the PowerShell script in hex format.(Citation: TrendMicro Netwalker May 2020)
MultiLayer Wiper

MultiLayer Wiper contains two binaries in its resources section, MultiList and MultiWip. MultiLayer Wiper drops and executes each of these items when run, then deletes them after execution.(Citation: Unit42 Agrius 2023)
SMOKEDHAM

The SMOKEDHAM source code is embedded in the dropper as an encrypted string.(Citation: FireEye SMOKEDHAM June 2021)
Pikabot

Pikabot further decrypts information embedded via steganography using AES-CBC with the same 32 bit key as initial XOR operations combined with the first 16 bytes of the encrypted data as an initialization vector.(Citation: Zscaler Pikabot 2023) Other Pikabot variants include encrypted, chunked sections of the stage 2 payload in the initial loader .text section before decrypting and assembling these during execution.(Citation: Elastic Pikabot 2024)
TA577

TA577 has used LNK files to execute embedded DLLs.(Citation: Latrodectus APR 2024)
ComRAT

ComRAT has embedded a XOR encrypted communications module inside the orchestrator module.(Citation: ESET ComRAT May 2020)(Citation: CISA ComRAT Oct 2020)

DUSTPAN

DUSTPAN decrypts and executes an embedded payload.(Citation: Google Cloud APT41 2024)(Citation: Google Cloud APT41 2022)
DUSTTRAP

DUSTTRAP contains additional embedded DLLs and configuration files that are loaded into memory during execution.(Citation: Google Cloud APT41 2024)
Invoke-PSImage

Invoke-PSImage can be used to embed payload data within a new image file.(Citation: GitHub PSImage)

For C0021, the threat actors embedded a base64-encoded payload within a LNK file.(Citation: Microsoft Unidentified Dec 2018)
Moonstone Sleet

Moonstone Sleet embedded payloads in trojanized software for follow-on execution.(Citation: Microsoft Moonstone Sleet 2024)
Uroburos

The Uroburos Queue file contains embedded executable files along with key material, communication channels, and modes of operation.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)

Контрмеры
Контрмера Описание
Antivirus/Antimalware

Antivirus/Antimalware solutions utilize signatures, heuristics, and behavioral analysis to detect, block, and remediate malicious software, including viruses, trojans, ransomware, and spyware. These solutions continuously monitor endpoints and systems for known malicious patterns and suspicious behaviors that indicate compromise. Antivirus/Antimalware software should be deployed across all devices, with automated updates to ensure protection against the latest threats. This mitigation can be implemented through the following measures: Signature-Based Detection: - Implementation: Use predefined signatures to identify known malware based on unique patterns such as file hashes, byte sequences, or command-line arguments. This method is effective against known threats. - Use Case: When malware like "Emotet" is detected, its signature (such as a specific file hash) matches a known database of malicious software, triggering an alert and allowing immediate quarantine of the infected file. Heuristic-Based Detection: - Implementation: Deploy heuristic algorithms that analyze behavior and characteristics of files and processes to identify potential malware, even if it doesn’t match a known signature. - Use Case: If a program attempts to modify multiple critical system files or initiate suspicious network communications, heuristic analysis may flag it as potentially malicious, even if no specific malware signature is available. Behavioral Detection (Behavior Prevention): - Implementation: Use behavioral analysis to detect patterns of abnormal activities, such as unusual system calls, unauthorized file encryption, or attempts to escalate privileges. - Use Case: Behavioral analysis can detect ransomware attacks early by identifying behavior like mass file encryption, even before a specific ransomware signature has been identified. Real-Time Scanning: - Implementation: Enable real-time scanning to automatically inspect files and network traffic for signs of malware as they are accessed, downloaded, or executed. - Use Case: When a user downloads an email attachment, the antivirus solution scans the file in real-time, checking it against both signatures and heuristics to detect any malicious content before it can be opened. Cloud-Assisted Threat Intelligence: - Implementation: Use cloud-based threat intelligence to ensure the antivirus solution can access the latest malware definitions and real-time threat feeds from a global database of emerging threats. - Use Case: Cloud-assisted antivirus solutions quickly identify newly discovered malware by cross-referencing against global threat databases, providing real-time protection against zero-day attacks. **Tools for Implementation**: - Endpoint Security Platforms: Use solutions such as EDR for comprehensive antivirus/antimalware protection across all systems. - Centralized Management: Implement centralized antivirus management consoles that provide visibility into threat activity, enable policy enforcement, and automate updates. - Behavioral Analysis Tools: Leverage solutions with advanced behavioral analysis capabilities to detect malicious activity patterns that don’t rely on known signatures.
Behavior Prevention on Endpoint

Behavior Prevention on Endpoint refers to the use of technologies and strategies to detect and block potentially malicious activities by analyzing the behavior of processes, files, API calls, and other endpoint events. Rather than relying solely on known signatures, this approach leverages heuristics, machine learning, and real-time monitoring to identify anomalous patterns indicative of an attack. This mitigation can be implemented through the following measures: Suspicious Process Behavior: - Implementation: Use Endpoint Detection and Response (EDR) tools to monitor and block processes exhibiting unusual behavior, such as privilege escalation attempts. - Use Case: An attacker uses a known vulnerability to spawn a privileged process from a user-level application. The endpoint tool detects the abnormal parent-child process relationship and blocks the action. Unauthorized File Access: - Implementation: Leverage Data Loss Prevention (DLP) or endpoint tools to block processes attempting to access sensitive files without proper authorization. - Use Case: A process tries to read or modify a sensitive file located in a restricted directory, such as /etc/shadow on Linux or the SAM registry hive on Windows. The endpoint tool identifies this anomalous behavior and prevents it. Abnormal API Calls: - Implementation: Implement runtime analysis tools to monitor API calls and block those associated with malicious activities. - Use Case: A process dynamically injects itself into another process to hijack its execution. The endpoint detects the abnormal use of APIs like `OpenProcess` and `WriteProcessMemory` and terminates the offending process. Exploit Prevention: - Implementation: Use behavioral exploit prevention tools to detect and block exploits attempting to gain unauthorized access. - Use Case: A buffer overflow exploit is launched against a vulnerable application. The endpoint detects the anomalous memory write operation and halts the process.

Ссылки

  1. Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts. Retrieved September 30, 2022.
  2. Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts. Retrieved September 29, 2022.
  3. Microsoft. (2021, April 6). 2.5 ExtraData. Retrieved September 30, 2022.
  4. KONSTANTIN ZYKOV. (2019, September 23). Hello! My name is Dtrack. Retrieved September 30, 2022.
  5. Karen Victor. (2020, May 18). Reflective Loading Runs Netwalker Fileless Ransomware. Retrieved September 30, 2022.
  6. CISA. (2020, October 29). Malware Analysis Report (AR20-303A) MAR-10310246-2.v1 – PowerShell Script: ComRAT. Retrieved September 30, 2022.
  7. Barrett Adams . (n.d.). Invoke-PSImage . Retrieved September 30, 2022.
  8. Marc Salinas Fernandez & Jiri Vinopal. (2023, May 23). AGRIUS DEPLOYS MONEYBIRD IN TARGETED ATTACKS AGAINST ISRAELI ORGANIZATIONS. Retrieved May 21, 2024.
  9. Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022.
  10. Microsoft Threat Intelligence. (2023, November 22). Diamond Sleet supply chain compromise distributes a modified CyberLink installer. Retrieved March 28, 2025.
  11. Savelesky, K., et al. (2019, July 23). ABADBABE 8BADFOOD: Discovering BADHATCH and a Detailed Look at FIN8's Tooling. Retrieved September 8, 2021.
  12. Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024.
  13. Amitai Ben & Shushan Ehrlich. (2021, May). From Wiper to Ransomware: The Evolution of Agrius. Retrieved May 21, 2024.
  14. Office of Information Security, Health Sector Cybersecurity Coordination Center. (2023, November 16). Emotet Malware: The Enduring and Persistent Threat to the Health Sector. Retrieved June 19, 2024.
  15. Binary Defense. (n.d.). Emotet Evolves With new Wi-Fi Spreader. Retrieved September 8, 2023.
  16. Konstantin Zykov. (2019, September 23). Hello! My name is Dtrack. Retrieved January 20, 2021.
  17. Kenefick , I. (2022, December 23). IcedID Botnet Distributors Abuse Google PPC to Distribute Malware. Retrieved July 24, 2024.
  18. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020.
  19. Or Chechik, Tom Fakterman, Daniel Frank & Assaf Dahan. (2023, November 6). Agonizing Serpens (Aka Agrius) Targeting the Israeli Higher Education and Tech Sectors. Retrieved May 22, 2024.
  20. FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise. Retrieved September 22, 2021.
  21. Daniel Stepanic & Salim Bitam. (2024, February 23). PIKABOT, I choose you!. Retrieved July 12, 2024.
  22. Brett Stone-Gross & Nikolaos Pantazopoulos. (2023, May 24). Technical Analysis of Pikabot. Retrieved July 12, 2024.
  23. Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021.
  24. Proofpoint Threat Research and Team Cymru S2 Threat Research. (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May 31, 2024.
  25. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
  26. CISA. (2020, October 29). Malware Analysis Report (AR20-303A). Retrieved December 9, 2020.
  27. Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman & John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved September 16, 2024.
  28. Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024.
  29. Barrett Adams. (n.d.). Invoke-PSImage . Retrieved September 30, 2022.
  30. Microsoft Defender Research Team. (2018, December 3). Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers. Retrieved April 15, 2019.
  31. Microsoft Threat Intelligence. (2024, May 28). Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks. Retrieved August 26, 2024.
  32. FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.