Obfuscated Files or Information:  Encrypted/Encoded File

TrickBot uses an AES CBC (256 bits) encryption algorithm for its loader and configuration files.(Citation: S2 Grupo TrickBot June 2017)

BLINDINGCAN has obfuscated code using Base64 encoding.(Citation: US-CERT BLINDINGCAN Aug 2020)

The Ninja payload is XOR encrypted and compressed.(Citation: Kaspersky ToddyCat Check Logs October 2023) Ninja has also XORed its configuration data with a constant value of `0xAA`.(Citation: Kaspersky ToddyCat June 2022)(Citation: Kaspersky ToddyCat Check Logs October 2023)

Torisma has been Base64 encoded and AES encrypted.(Citation: McAfee Lazarus Nov 2020)

DOGCALL is encrypted using single-byte XOR.(Citation: Unit 42 Nokki Oct 2018)

Stuxnet uses encrypted configuration blocks and writes encrypted files to disk.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)

VersaMem encrypted captured credentials with AES then Base64 encoded them before writing to local storage.(Citation: Lumen Versa 2024)

Chinoxy has encrypted its configuration file.(Citation: Bitdefender FunnyDream Campaign November 2020)

Smoke Loader uses a simple one-byte XOR method to obfuscate values in the malware.(Citation: Malwarebytes SmokeLoader 2016)(Citation: Talos Smoke Loader July 2018)

WindTail can be delivered as a compressed, encrypted, and encoded payload.(Citation: objective-see windtail2 jan 2019)

Variants of Emissary encrypt payloads using various XOR ciphers, as well as a custom algorithm that uses the "srand" and "rand" functions.(Citation: Lotus Blossom Dec 2015)(Citation: Emissary Trojan Feb 2016)

Exaramel for Linux uses RC4 for encrypting the configuration.(Citation: ESET TeleBots Oct 2018)(Citation: ANSSI Sandworm January 2021)

Sliver can encrypt strings at compile time.(Citation: Bishop Fox Sliver Framework August 2019)(Citation: GitHub Sliver C2)

HAWKBALL has encrypted the payload with an XOR-based algorithm.(Citation: FireEye HAWKBALL Jun 2019)

PS1 is distributed as a set of encrypted files and scripts.(Citation: BlackBerry CostaRicto November 2020)

Ursnif has used an XOR-based algorithm to encrypt Tor clients dropped to disk.(Citation: ProofPoint Ursnif Aug 2016) Ursnif droppers have also been delivered as password-protected zip files that execute base64 encoded PowerShell commands.(Citation: Bromium Ursnif Mar 2017)

ThreatNeedle has been compressed and obfuscated using RC4, AES, or XOR.(Citation: Kaspersky ThreatNeedle Feb 2021)

RansomHub has an encrypted configuration file.(Citation: Group-IB RansomHub FEB 2025)

A RedLeaves configuration file is encrypted with a simple XOR key, 0x53.(Citation: PWC Cloud Hopper Technical Annex April 2017)

Zeus Panda encrypts strings with XOR. Zeus Panda also encrypts all configuration and settings in AES and RC4.(Citation: Talos Zeus Panda Nov 2017)(Citation: GDATA Zeus Panda June 2017)

CARROTBAT has the ability to download a base64 encoded payload.(Citation: Unit 42 CARROTBAT November 2018)

GravityRAT supports file encryption (AES with the key "lolomycin2017").(Citation: Talos GravityRAT)

StrongPity has used encrypted strings in its dropper component.(Citation: Talos Promethium June 2020)(Citation: Bitdefender StrongPity June 2020)

AuditCred encrypts the configuration.(Citation: TrendMicro Lazarus Nov 2018)

UPSTYLE stores primary content as base64-encoded objects.(Citation: Volexity UPSTYLE 2024)(Citation: Palo Alto MidnightEclipse APR 2024)

RainyDay has downloaded as a XOR-encrypted payload.(Citation: Bitdefender Naikon April 2021)

PyDCrypt has been compiled and encrypted with PyInstaller, specifically using the --key flag during the build phase.(Citation: Checkpoint MosesStaff Nov 2021)

EnvyScout can Base64 encode payloads.(Citation: MSTIC Nobelium Toolset May 2021)

GreyEnergy encrypts its configuration files with AES-256 and also encrypts its strings.(Citation: ESET GreyEnergy Oct 2018)

Aria-body has used an encrypted configuration file for its loader.(Citation: CheckPoint Naikon May 2020)

Emotet uses obfuscated URLs to download a ZIP file.(Citation: emotet_trendmicro_mar2023)

DUSTTRAP begins with an initial launcher that decrypts an AES-128-CFB encrypted file on disk and executes it in memory.(Citation: Google Cloud APT41 2024)

Avenger has the ability to XOR encrypt files to be sent to C2.(Citation: Trend Micro Tick November 2019)

DUSTPAN decrypts an embedded payload.(Citation: Google Cloud APT41 2024)(Citation: Google Cloud APT41 2022)

Some resources in Prikormka are encrypted with a simple XOR operation or encoded with Base64.(Citation: ESET Operation Groundbait)

PcShare has been encrypted with XOR using different 32-long Base16 strings.(Citation: Bitdefender FunnyDream Campaign November 2020)

Dacls can encrypt its configuration file with AES CBC.(Citation: TrendMicro macOS Dacls May 2020)

Woody RAT has used Base64 encoded strings and scripts.(Citation: MalwareBytes WoodyRAT Aug 2022)

Mafalda has been obfuscated and contains encrypted functions.(Citation: SentinelLabs Metador Sept 2022)

Squirrelwaffle has been obfuscated with a XOR-based algorithm.(Citation: ZScaler Squirrelwaffle Sep 2021)(Citation: Netskope Squirrelwaffle Oct 2021)

Hildegard has encrypted an ELF file.(Citation: Unit 42 Hildegard Malware)

FlawedGrace encrypts its C2 configuration files with AES in CBC mode.(Citation: Proofpoint TA505 Jan 2019)

Rifdoor has encrypted strings with a single byte XOR algorithm.(Citation: Carbon Black HotCroissant April 2020)

Cuckoo Stealer strings are XOR-encrypted.(Citation: Kandji Cuckoo April 2024)(Citation: SentinelOne Cuckoo Stealer May 2024)

The WastedLocker payload includes encrypted strings stored within the .bss section of the binary file.(Citation: NCC Group WastedLocker June 2020)

A Volgmer variant is encoded using a simple XOR cipher.(Citation: US-CERT Volgmer 2 Nov 2017)

WhisperGate can Base64 encode strings, store downloaded files in reverse byte order, and use the Eazfuscator tool to obfuscate its third stage.(Citation: Cisco Ukraine Wipers January 2022)(Citation: Medium S2W WhisperGate January 2022)(Citation: RecordedFuture WhisperGate Jan 2022)

ZeroT has encrypted its payload with RC4.(Citation: Proofpoint ZeroT Feb 2017)

Skidmap has encrypted it's main payload using 3DES.(Citation: Trend Micro Skidmap)

SamSam has been seen using AES or DES to encrypt payloads and payload components.(Citation: Sophos SamSam Apr 2018)(Citation: Talos SamSam Jan 2018)

Mispadu uses a custom algorithm to obfuscate its internal strings and uses hardcoded keys.(Citation: ESET Security Mispadu Facebook Ads 2019) Mispadu also uses encoded configuration files and has encoded payloads using Base64.(Citation: ESET Security Mispadu Facebook Ads 2019)(Citation: SCILabs Malteiro 2021)(Citation: SCILabs Malteiro Threat Overlap 2023)

Raindrop encrypted its payload using a simple XOR algorithm with a single-byte key.(Citation: Symantec RAINDROP January 2021)(Citation: Microsoft Deep Dive Solorigate January 2021)

Fysbis has been encrypted using XOR and RC4.(Citation: Fysbis Dr Web Analysis)

IcedID has utilzed encrypted binaries and base64 encoded strings.(Citation: Juniper IcedID June 2020)

VERMIN is obfuscated using the obfuscation tool called ConfuserEx.(Citation: Unit 42 VERMIN Jan 2018)

DCSrv's configuration is encrypted.(Citation: Checkpoint MosesStaff Nov 2021)

BOOSTWRITE has encoded its payloads using a ChaCha stream cipher with a 256-bit key and 64-bit Initialization vector (IV) to evade detection.(Citation: FireEye FIN7 Oct 2019)

Configuration data used by Rising Sun has been encrypted using an RC4 stream algorithm.(Citation: McAfee Sharpshooter December 2018)

Chrommme can encrypt sections of its code to evade detection.(Citation: ESET Gelsemium June 2021)

SocGholish has single or double Base-64 encoded references to its second-stage server URLs.(Citation: SentinelOne SocGholish Infrastructure November 2022)

Hi-Zor uses various XOR techniques to obfuscate its components.(Citation: Fidelis INOCNATION)

LightSpy encrypts the C2 configuration file using AES with a static key, while the module `.dylib` files use a rolling one-byte encoding for obfuscation.(Citation: Huntress LightSpy macOS 2024)

GoldMax has written AES-encrypted and Base64-encoded configuration files to disk.(Citation: MSTIC NOBELIUM Mar 2021)(Citation: FireEye SUNSHUTTLE Mar 2021)

In one version of KeyBoy, string obfuscation routines were used to hide many of the critical values referenced in the malware.(Citation: CitizenLab KeyBoy Nov 2016)

HyperBro can be delivered encrypted to a compromised host.(Citation: Trend Micro DRBControl February 2020)

Reaver encrypts some of its files with XOR.(Citation: Palo Alto Reaver Nov 2017)

Bisonal's DLL file and non-malicious decoy file are encrypted with RC4 and some function name strings are obfuscated.(Citation: Unit 42 Bisonal July 2018)(Citation: Talos Bisonal Mar 2020)

Lumma Stealer has used AES-encrypted payloads contained within PowerShell scripts.(Citation: Qualys LummaStealer 2024)

Some data in Remsec is encrypted using RC5 in CBC mode, AES-CBC with a hardcoded key, RC4, or Salsa20. Some data is also base64-encoded.(Citation: Symantec Remsec IOCs)(Citation: Kaspersky ProjectSauron Technical Analysis)

LightNeuron encrypts its configuration files with AES-256.(Citation: ESET LightNeuron May 2019)

KEYPLUG can use a hardcoded one-byte XOR encoded configuration file.(Citation: Mandiant APT41)

DarkGate drops an encrypted PE file, pe.bin, and decrypts it during installation.(Citation: Ensilo Darkgate 2018) DarkGate also uses custom base64 encoding schemas in later variations to obfuscate payloads.(Citation: Trellix Darkgate 2023)

NanHaiShu encodes files in Base64.(Citation: fsecure NanHaiShu July 2016)

The LockBit 3.0 payload includes an encrypted main component.(Citation: Sentinel Labs LockBit 3.0 JUL 2022)(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023)

FoggyWeb has been XOR-encoded.(Citation: MSTIC FoggyWeb September 2021)

Some strings in HOMEFRY are obfuscated with XOR x56.(Citation: FireEye Periscope March 2018)

Elise encrypts several of its files, including configuration files.(Citation: Lotus Blossom Jun 2015)

Gazer logs its actions into files that are encrypted with 3DES. It also uses RSA to encrypt resources.(Citation: Securelist WhiteBear Aug 2017)

Latrodectus has used a pseudo random number generator (PRNG) algorithm and a rolling XOR key to obfuscate strings.(Citation: Latrodectus APR 2024)(Citation: Elastic Latrodectus May 2024)(Citation: Bitsight Latrodectus June 2024)

APIs and strings in some TYPEFRAME variants are RC4 encrypted. Another variant is encoded with XOR.(Citation: US-CERT TYPEFRAME June 2018)

Sagerunex can be passed a reference to an XOR-encrypted configuration file at runtime.(Citation: Symantec Bilbug 2022)

BendyBear has encrypted payloads using RC4 and XOR.(Citation: Unit42 BendyBear Feb 2021)

Uroburos can use AES and CAST-128 encryption to obfuscate resources.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)

Metamorfo has encrypted payloads and strings.(Citation: Medium Metamorfo Apr 2020)(Citation: ESET Casbaneiro Oct 2019)

PipeMon modules are stored encrypted on disk.(Citation: ESET PipeMon May 2020)

MagicRAT stores base64 encoded command and contorl URLs in a configuraiton file, with each URL prefixed with the value `LR02DPt22R`.(Citation: Cisco MagicRAT 2022)

TINYTYPHON has used XOR with 0x90 to obfuscate its configuration file.(Citation: Forcepoint Monsoon)

KONNI is heavily obfuscated and includes encrypted configuration files.(Citation: Malwarebytes Konni Aug 2021)

Winnti for Linux can encode its configuration file with single-byte XOR encoding.(Citation: Chronicle Winnti for Linux May 2019)

RAPIDPULSE has the ability to RC4 encrypt and base64 encode decrypted files on compromised servers prior to writing them to stdout.(Citation: Mandiant Pulse Secure Update May 2021)

Many strings in JHUHUGIT are obfuscated with a XOR algorithm.(Citation: F-Secure Sofacy 2015)(Citation: ESET Sednit Part 1)(Citation: Talos Seduploader Oct 2017)

BLUELIGHT has a XOR-encoded payload.(Citation: Volexity InkySquid BLUELIGHT August 2021)

KGH_SPY has used encrypted strings in its installer.(Citation: Cybereason Kimsuky November 2020)

Micropsia obfuscates the configuration with a custom Base64 and XOR.(Citation: Talos Micropsia June 2017)(Citation: Radware Micropsia July 2018)

Kerrdown can encrypt, encode, and compress multiple layers of shellcode.(Citation: Unit 42 KerrDown February 2019)

StoneDrill has obfuscated its module with an alphabet-based table or XOR encryption.(Citation: Kaspersky StoneDrill 2017)

Strings in Attor's components are encrypted with a XOR cipher, using a hardcoded key and the configuration data, log files and plugins are encrypted using a hybrid encryption scheme of Blowfish-OFB combined with RSA.(Citation: ESET Attor Oct 2019)

Mosquito’s installer is obfuscated with a custom crypter to obfuscate the installer.(Citation: ESET Turla Mosquito Jan 2018)

BlackByte Ransomware is distributed as an encrypted payload.(Citation: Trustwave BlackByte 2021)

StrelaStealer uses XOR-encoded strings to obfuscate items.(Citation: DCSO StrelaStealer 2022)

The Grandoreiro payload has been delivered encrypted with a custom XOR-based algorithm and also as a base64-encoded ZIP file.(Citation: Securelist Brazilian Banking Malware July 2020)(Citation: ESET Grandoreiro April 2020)(Citation: ESET Grandoreiro April 2020)

Sakula uses single-byte XOR obfuscation to obfuscate many of its files.(Citation: Dell Sakula)

ZxxZ has been encoded to avoid detection from static analysis tools.(Citation: Cisco Talos Bitter Bangladesh May 2022)

Shark can use encrypted and encoded files for C2 configuration.(Citation: ClearSky Siamesekitten August 2021)(Citation: Accenture Lyceum Targets November 2021)

Bazar has used XOR, RSA2, and RC4 encrypted files.(Citation: Cybereason Bazar July 2020)(Citation: NCC Group Team9 June 2020)(Citation: CrowdStrike Wizard Spider October 2020)

XLoader features encrypted functions using the RC4 algorithm and bytecode operations.(Citation: Zscaler XLoader 2025)(Citation: ANY.RUN XLoader 2023)

Kapeka utilizes AES-256 (CBC mode), XOR, and RSA-2048 encryption schemas for various configuration and other objects.(Citation: WithSecure Kapeka 2024)

SpeakUp encodes its second-stage payload with Base64. (Citation: CheckPoint SpeakUp Feb 2019)

LunarMail has used RC4 and AES to encrypt strings and its exfiltration configuration respectively.(Citation: ESET Turla Lunar toolset May 2024)

Donut can generate encrypted, compressed/encoded, or otherwise obfuscated code modules.(Citation: Donut Github)

HotCroissant has encrypted strings with single-byte XOR and base64 encoded RC4.(Citation: Carbon Black HotCroissant April 2020)

REvil has used encrypted strings and configuration files.(Citation: G Data Sodinokibi June 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: Intel 471 REvil March 2020)(Citation: Group IB Ransomware May 2020)(Citation: Picus Sodinokibi January 2020)(Citation: Secureworks REvil September 2019)

Milan can encode files containing information about the targeted system.(Citation: ClearSky Siamesekitten August 2021)(Citation: Kaspersky Lyceum October 2021)

Most strings in USBStealer are encrypted using 3DES and XOR and reversed.(Citation: ESET Sednit USBStealer 2014)

OSX_OCEANLOTUS.D encrypts its strings in RSA256 and encodes them in a custom base64 scheme and XOR.(Citation: TrendMicro MacOS April 2018)

Taidoor can use encrypted string blocks for obfuscation.(Citation: CISA MAR-10292089-1.v2 TAIDOOR August 2021)

IronNetInjector can obfuscate variable names, encrypt strings, as well as base64 encode and Rijndael encrypt payloads.(Citation: Unit 42 IronNetInjector February 2021 )

SUPERNOVA contained Base64-encoded strings.(Citation: CISA Supernova Jan 2021)

Seasalt obfuscates configuration data.(Citation: Mandiant APT1 Appendix)

Raccoon Stealer uses RC4 encryption for strings and command and control addresses to evade static detection.(Citation: S2W Racoon 2022)(Citation: Sekoia Raccoon1 2022)(Citation: Sekoia Raccoon2 2022)

IPsec Helper contains an embedded XML configuration file with an encrypted list of command and control servers. These are written to an external configuration file during execution.(Citation: SentinelOne Agrius 2021)

Cardinal RAT encodes many of its artifacts and is encrypted (AES-128) when downloaded.(Citation: PaloAlto CardinalRat Apr 2017)

DanBot can Base64 encode its payload.(Citation: SecureWorks August 2019)

GoldenSpy's uninstaller has base64-encoded its variables. (Citation: Trustwave GoldenSpy2 June 2020)

Carberp has used XOR-based encryption to mask C2 server locations within the trojan.(Citation: Prevx Carberp March 2011)

FunnyDream can Base64 encode its C2 address stored in a template binary with the `xyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvw_-` or `xyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvw_=` character sets.(Citation: Bitdefender FunnyDream Campaign November 2020)

The ROADSWEEP binary contains RC4 encrypted embedded scripts.(Citation: Mandiant ROADSWEEP August 2022)(Citation: CISA Iran Albanian Attacks September 2022)(Citation: Microsoft Albanian Government Attacks September 2022)

More_eggs's payload has been encrypted with a key that has the hostname and processor family information appended to the end.(Citation: ESET EvilNum July 2020)

SysUpdate can encrypt and encode its configuration file.(Citation: Trend Micro Iron Tiger April 2021)

Kwampirs downloads additional files that are base64-encoded and encrypted with another cipher.(Citation: Symantec Security Center Trojan.Kwampirs)

DEADEYE has encrypted its payload.(Citation: Mandiant APT41)

Mango contains a series of base64 encoded substrings.(Citation: ESET OilRig Campaigns Sep 2023)

Kessel's configuration is hardcoded and RC4 encrypted within the binary.(Citation: ESET ForSSHe December 2018)

YAHOYAH encrypts its configuration file using a simple algorithm.(Citation: TrendMicro TropicTrooper 2015)

StealBit stores obfuscated DLL file names in its executable.(Citation: Cybereason StealBit Exfiltration Tool)

FELIXROOT encrypts strings in the backdoor using a custom XOR algorithm.(Citation: FireEye FELIXROOT July 2018)(Citation: ESET GreyEnergy Oct 2018)

Penquin has encrypted strings in the binary for obfuscation.(Citation: Leonardo Turla Penquin May 2020)

Winnti for Windows has the ability to encrypt and compress its payload.(Citation: Novetta Winnti April 2015)

njRAT has included a base64 encoded executable.(Citation: Trend Micro njRAT 2018)

metaMain's module file has been encrypted via XOR.(Citation: SentinelLabs Metador Technical Appendix Sept 2022)

Heyoka Backdoor can encrypt its payload.(Citation: SentinelOne Aoqin Dragon June 2022)

The LunarWeb install files have been encrypted with AES-256.(Citation: ESET Turla Lunar toolset May 2024)

Older XCSSET variants use `xxd` to encode modules. Later versions pass an `xxd` or `base64` encoded blob through multiple decoding stages to reconstruct the module name, AppleScript, or shell command. For example, the initial network request uses three layers of hex decoding before executing a curl command in a shell.(Citation: Microsoft March 2025 XCSSET)

STARWHALE has been obfuscated with hex-encoded strings.(Citation: DHS CISA AA22-055A MuddyWater February 2022)

The payload of CozyCar is encrypted with simple XOR with a rotating key. The CozyCar configuration file has been encrypted with RC4 keys.(Citation: F-Secure CozyDuke)

Kevin has Base64-encoded its configuration file.(Citation: Kaspersky Lyceum October 2021)

Remexi obfuscates its configuration data with XOR.(Citation: Securelist Remexi Jan 2019)

Astaroth has used an XOR-based algorithm to encrypt payloads twice with different keys.(Citation: Securelist Brazilian Banking Malware July 2020)

The Helminth config file is encrypted with RC4.(Citation: Palo Alto OilRig May 2016)

DEADWOOD contains an embedded, AES-encrypted resource named METADATA that contains configuration information for follow-on execution.(Citation: SentinelOne Agrius 2021)

Waterbear has used RC4 encrypted shellcode and encrypted functions.(Citation: Trend Micro Waterbear December 2019)

The FIVEHANDS payload is encrypted with AES-128.(Citation: FireEye FiveHands April 2021)(Citation: CISA AR21-126A FIVEHANDS May 2021)(Citation: NCC Group Fivehands June 2021)

LoudMiner has encrypted DMG files.(Citation: ESET LoudMiner June 2019)

BitPaymer has used RC4-encrypted strings and string hashes to avoid identifiable strings within the binary.(Citation: Crowdstrike Indrik November 2018)

Zox has been encoded with Base64.(Citation: Novetta-Axiom)

HiddenWasp encrypts its configuration and payload.(Citation: Intezer HiddenWasp Map 2019)

HermeticWizard has the ability to encrypt PE files with a reverse XOR loop.(Citation: ESET Hermetic Wizard March 2022)

APT28 encrypted a .dll payload using RTL and a custom encryption algorithm. APT28 has also obfuscated payloads with base64, XOR, and RC4.(Citation: Bitdefender APT28 Dec 2015)(Citation: Unit 42 Sofacy Feb 2018)(Citation: Palo Alto Sofacy 06-2018)(Citation: Talos Seduploader Oct 2017)(Citation: Accenture SNAKEMACKEREL Nov 2018)

Tropic Trooper has encrypted configuration files.(Citation: TrendMicro Tropic Trooper Mar 2018)(Citation: TrendMicro Tropic Trooper May 2020)

APT33 has used base64 to encode payloads.(Citation: FireEye APT33 Guardrail)

Fox Kitten has base64 encoded payloads to avoid detection.(Citation: CISA AA20-259A Iran-Based Actor September 2020)

Lazarus Group has used multiple types of encryption and encoding for their payloads, including AES, Caracachs, RC4, XOR, Base64, and other tricks such as creating aliases in code for Native API function names.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Loaders)(Citation: Novetta Blockbuster RATs)(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: TrendMicro macOS Dacls May 2020)(Citation: Lazarus APT January 2022)(Citation: Qualys LolZarus)

TA2541 has used compressed and char-encoded scripts in operations.(Citation: Cisco Operation Layover September 2021)

Whitefly has encrypted the payload used for C2.(Citation: Symantec Whitefly March 2019)

Darkhotel has obfuscated code using RC4, XOR, and RSA.(Citation: Securelist Darkhotel Aug 2015)(Citation: Microsoft DUBNIUM July 2016)

APT39 has used malware to drop encrypted CAB files.(Citation: FBI FLASH APT39 September 2020)

Transparent Tribe has dropped encoded executables on compromised hosts.(Citation: Proofpoint Operation Transparent Tribe March 2016)

Droppers used by Putter Panda use RC4 or a 16-byte XOR key consisting of the bytes 0xA0 – 0xAF to obfuscate payloads.(Citation: CrowdStrike Putter Panda)

Leviathan has obfuscated code using base64.(Citation: Proofpoint Leviathan Oct 2017)

A Threat Group-3390 tool can encrypt payloads using XOR. Threat Group-3390 malware is also obfuscated using Metasploit’s shikata_ga_nai encoder.(Citation: Nccgroup Emissary Panda May 2018)(Citation: Securelist LuckyMouse June 2018)(Citation: Unit42 Emissary Panda May 2019)

APT32 has performed code obfuscation, including encoding payloads using Base64 and using a framework called "Dont-Kill-My-Cat (DKMC). APT32 also encrypts the library used for network exfiltration with AES-256 in CBC mode in their macOS backdoor.(Citation: FireEye APT32 May 2017)(Citation: GitHub Invoke-Obfuscation)(Citation: ESET OceanLotus)(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason Cobalt Kitty 2017)(Citation: ESET OceanLotus Mar 2019)(Citation: ESET OceanLotus macOS April 2019)

Group5 disguised its malicious binaries with several layers of obfuscation, including encrypting the files.(Citation: Citizen Lab Group5)

Saint Bear initial payloads included encoded follow-on payloads located in the resources file of the first-stage loader.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )

Metador has encrypted their payloads.(Citation: SentinelLabs Metador Sept 2022)

Moses Staff has used obfuscated web shells in their operations.(Citation: Checkpoint MosesStaff Nov 2021)

Higaisa used Base64 encoded compressed payloads.(Citation: Malwarebytes Higaisa 2020)(Citation: Zscaler Higaisa 2020)

Sidewinder has used base64 encoding and ECDH-P256 encryption for payloads.(Citation: ATT Sidewinder January 2021)(Citation: Rewterz Sidewinder APT April 2020)(Citation: Cyble Sidewinder September 2020)

OilRig has encrypted and encoded data in its malware, including by using base64.(Citation: FireEye APT34 Dec 2017)(Citation: Unit 42 QUADAGENT July 2018)(Citation: Unit42 OilRig Playbook 2023)(Citation: Crowdstrike Helix Kitten Nov 2018)(Citation: Unit42 OilRig Nov 2018)

APT19 used Base64 to obfuscate payloads.(Citation: FireEye APT19)

Inception has encrypted malware payloads dropped on victim machines with AES and RC4 encryption.(Citation: Kaspersky Cloud Atlas December 2014)

BITTER has used a RAR SFX dropper to deliver malware.(Citation: Forcepoint BITTER Pakistan Oct 2016)

APT18 obfuscates strings in the payload.(Citation: PaloAlto DNS Requests May 2016)

Magic Hound malware has used base64-encoded files and has also encrypted embedded strings with AES.(Citation: Unit 42 Magic Hound Feb 2017)(Citation: Microsoft Iranian Threat Actor Trends November 2021)

menuPass has encoded strings in its malware with base64 as well as with a simple, single-byte XOR obfuscation using key 0x40.(Citation: Accenture Hogfish April 2018)(Citation: FireEye APT10 Sept 2018)(Citation: Symantec Cicada November 2020)

TeamTNT has encrypted its binaries via AES and encoded files using Base64.(Citation: Trend Micro TeamTNT)(Citation: Aqua TeamTNT August 2020)

Mofang has encrypted payloads before they are downloaded to victims.(Citation: FOX-IT May 2016 Mofang)

Storm-1811 XOR encodes a Cobalt Strike installation payload in a DLL file that is decoded with a hardcoded key when called by a legitimate 7zip installation process.(Citation: rapid7-email-bombing)

Moonstone Sleet has used encrypted payloads within files for follow-on execution and defense evasion.(Citation: Microsoft Moonstone Sleet 2024)

Blue Mockingbird has obfuscated the wallet address in the payload binary.(Citation: RedCanary Mockingbird May 2020)

Elderwood has encrypted documents and malicious executables.(Citation: Symantec Elderwood Sept 2012)

Malteiro has used scripts encoded in Base64 certificates to distribute malware to victims.(Citation: SCILabs Malteiro Threat Overlap 2023)

Dark Caracal has obfuscated strings in Bandook by base64 encoding, and then encrypting them.(Citation: Lookout Dark Caracal Jan 2018)

TA505 has password-protected malicious Word documents.(Citation: Proofpoint TA505 Sep 2017)

Antivirus/Antimalware solutions utilize signatures, heuristics, and behavioral analysis to detect, block, and remediate malicious software, including viruses, trojans, ransomware, and spyware. These solutions continuously monitor endpoints and systems for known malicious patterns and suspicious behaviors that indicate compromise. Antivirus/Antimalware software should be deployed across all devices, with automated updates to ensure protection against the latest threats. This mitigation can be implemented through the following measures: Signature-Based Detection: - Implementation: Use predefined signatures to identify known malware based on unique patterns such as file hashes, byte sequences, or command-line arguments. This method is effective against known threats. - Use Case: When malware like "Emotet" is detected, its signature (such as a specific file hash) matches a known database of malicious software, triggering an alert and allowing immediate quarantine of the infected file. Heuristic-Based Detection: - Implementation: Deploy heuristic algorithms that analyze behavior and characteristics of files and processes to identify potential malware, even if it doesn’t match a known signature. - Use Case: If a program attempts to modify multiple critical system files or initiate suspicious network communications, heuristic analysis may flag it as potentially malicious, even if no specific malware signature is available. Behavioral Detection (Behavior Prevention): - Implementation: Use behavioral analysis to detect patterns of abnormal activities, such as unusual system calls, unauthorized file encryption, or attempts to escalate privileges. - Use Case: Behavioral analysis can detect ransomware attacks early by identifying behavior like mass file encryption, even before a specific ransomware signature has been identified. Real-Time Scanning: - Implementation: Enable real-time scanning to automatically inspect files and network traffic for signs of malware as they are accessed, downloaded, or executed. - Use Case: When a user downloads an email attachment, the antivirus solution scans the file in real-time, checking it against both signatures and heuristics to detect any malicious content before it can be opened. Cloud-Assisted Threat Intelligence: - Implementation: Use cloud-based threat intelligence to ensure the antivirus solution can access the latest malware definitions and real-time threat feeds from a global database of emerging threats. - Use Case: Cloud-assisted antivirus solutions quickly identify newly discovered malware by cross-referencing against global threat databases, providing real-time protection against zero-day attacks. **Tools for Implementation**: - Endpoint Security Platforms: Use solutions such as EDR for comprehensive antivirus/antimalware protection across all systems. - Centralized Management: Implement centralized antivirus management consoles that provide visibility into threat activity, enable policy enforcement, and automate updates. - Behavioral Analysis Tools: Leverage solutions with advanced behavioral analysis capabilities to detect malicious activity patterns that don’t rely on known signatures.

Behavior Prevention on Endpoint refers to the use of technologies and strategies to detect and block potentially malicious activities by analyzing the behavior of processes, files, API calls, and other endpoint events. Rather than relying solely on known signatures, this approach leverages heuristics, machine learning, and real-time monitoring to identify anomalous patterns indicative of an attack. This mitigation can be implemented through the following measures: Suspicious Process Behavior: - Implementation: Use Endpoint Detection and Response (EDR) tools to monitor and block processes exhibiting unusual behavior, such as privilege escalation attempts. - Use Case: An attacker uses a known vulnerability to spawn a privileged process from a user-level application. The endpoint tool detects the abnormal parent-child process relationship and blocks the action. Unauthorized File Access: - Implementation: Leverage Data Loss Prevention (DLP) or endpoint tools to block processes attempting to access sensitive files without proper authorization. - Use Case: A process tries to read or modify a sensitive file located in a restricted directory, such as /etc/shadow on Linux or the SAM registry hive on Windows. The endpoint tool identifies this anomalous behavior and prevents it. Abnormal API Calls: - Implementation: Implement runtime analysis tools to monitor API calls and block those associated with malicious activities. - Use Case: A process dynamically injects itself into another process to hijack its execution. The endpoint detects the abnormal use of APIs like `OpenProcess` and `WriteProcessMemory` and terminates the offending process. Exploit Prevention: - Implementation: Use behavioral exploit prevention tools to detect and block exploits attempting to gain unauthorized access. - Use Case: A buffer overflow exploit is launched against a vulnerable application. The endpoint detects the anomalous memory write operation and halts the process.