Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Техника Compression
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Compression
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Obfuscated Files or Information:  Compression

ID Название
.001 Добавление в бинарный файл незначащих данных
.002 Упаковка ПО
.003 Стеганография
.004 Компиляция после доставки
.005 Удаление индикаторов компрометации из вредоносных инструментов
.006 Скрытая передача через HTML
.007 Динамическое разрешение API
.008 Перевод полезных нагрузок в трудночитаемый формат
.009 Встроенные полезные нагрузки
.010 Command Obfuscation
.011 Fileless Storage
.012 LNK Icon Smuggling
.013 Encrypted/Encoded File
.014 Polymorphic Code
.015 Compression
.016 Junk Code Insertion
.017 SVG Smuggling

Adversaries may use compression to obfuscate their payloads or files. Compressed file formats such as ZIP, gzip, 7z, and RAR can compress and archive multiple files together to make it easier and faster to transfer files. In addition to compressing files, adversaries may also compress shellcode directly - for example, in order to store it in a Windows Registry key (i.e., Fileless Storage).(Citation: Trustwave Pillowmint June 2020) In order to further evade detection, adversaries may combine multiple ZIP files into one archive. This process of concatenation creates an archive that appears to be a single archive but in fact contains the central directories of the embedded archives. Some ZIP readers, such as 7zip, may not be able to identify concatenated ZIP files and miss the presence of the malicious payload.(Citation: Perception Point) File archives may be sent as one Spearphishing Attachment through email. Adversaries have sent malicious payloads as archived files to encourage the user to interact with and extract the malicious payload onto their system (i.e., Malicious File).(Citation: NTT Security Flagpro new December 2021) However, some file compression tools, such as 7zip, can be used to produce self-extracting archives. Adversaries may send self-extracting archives to hide the functionality of their payload and launch it without requiring multiple actions from the user.(Citation: The Hacker News) Compression may be used in combination with Encrypted/Encoded File where compressed files are encrypted and password-protected.

ID: T1027.015
Относится к технике:  T1027
Тактика(-и): Defense Evasion
Платформы: Linux, Windows, macOS
Источники данных: File: File Creation, File: File Metadata
Версия: 1.0
Дата создания: 04 Mar 2025
Последнее изменение: 15 Apr 2025

Примеры процедур
Название Описание
Ninja

Ninja has compressed its data with the LZSS algorithm.(Citation: Kaspersky ToddyCat June 2022)(Citation: Kaspersky ToddyCat Check Logs October 2023)
RCSession

RCSession can compress and obfuscate its strings to evade detection on a compromised host.(Citation: Trend Micro DRBControl February 2020)
WindTail

WindTail can be delivered as a compressed, encrypted, and encoded payload.(Citation: objective-see windtail2 jan 2019)
ThreatNeedle

ThreatNeedle has been compressed and obfuscated.(Citation: Kaspersky ThreatNeedle Feb 2021)
Pony

Pony attachments have been delivered via compressed archive files.(Citation: Malwarebytes Pony April 2016)
BADHATCH

BADHATCH can be compressed with the ApLib algorithm.(Citation: BitDefender BADHATCH Mar 2021)
PcShare

PcShare has been compressed with LZW algorithm.(Citation: Bitdefender FunnyDream Campaign November 2020)
ShimRat

ShimRat has been delivered as a package that includes compressed DLL and shellcode payloads within a .dat file.(Citation: FOX-IT May 2016 Mofang)
SocGholish

The SocGholish JavaScript payload has been delivered within a compressed ZIP archive.(Citation: Red Canary SocGholish March 2024)(Citation: Secureworks Gold Prelude Profile)

Line Runner

Line Runner uses a ZIP payload that is automatically extracted with its contents, a LUA script, executed for initial execution via CVE-2024-20359.(Citation: Cisco ArcaneDoor 2024)
DarkWatchman

DarkWatchman has been delivered as compressed RAR payloads in ZIP files to victims.(Citation: Prevailion DarkWatchman 2021)
Kerrdown

Kerrdown can encrypt, encode, and compress multiple layers of shellcode.(Citation: Unit 42 KerrDown February 2019)
RTM

RTM has been delivered to targets as various archive files including ZIP, 7-ZIP, and RAR.(Citation: ESET RTM Feb 2017)(Citation: Unit42 Redaman January 2019)
StrelaStealer

StrelaStealer has been delivered via JScript files in a ZIP archive.(Citation: PaloAlto StrelaStealer 2024)(Citation: Fortgale StrelaStealer 2023)

HermeticWiper

HermeticWiper can compress 32-bit and 64-bit driver files with the Lempel-Ziv algorithm.(Citation: Symantec Ukraine Wipers February 2022)(Citation: Crowdstrike DriveSlayer February 2022)(Citation: Qualys Hermetic Wiper March 2022)
Pandora

Pandora has the ability to compress stings with QuickLZ.(Citation: Trend Micro Iron Tiger April 2021)
Donut

Donut can generate encrypted, compressed/encoded, or otherwise obfuscated code modules.(Citation: Donut Github)
SUNBURST

SUNBURST strings were compressed and encoded in Base64.(Citation: Microsoft Analyzing Solorigate Dec 2020)
Samurai

Samurai can deliver its final payload as a compressed, encrypted and base64-encoded blob.(Citation: Kaspersky ToddyCat June 2022)
Pillowmint

Pillowmint has been compressed and stored within a registry key.(Citation: Trustwave Pillowmint June 2020)

Winnti for Windows

Winnti for Windows has the ability to encrypt and compress its payload.(Citation: Novetta Winnti April 2015)
Hancitor

Hancitor has delivered compressed payloads in ZIP files to victims.(Citation: FireEye Hancitor)
Gelsemium

Gelsemium has the ability to compress its components.(Citation: ESET Gelsemium June 2021)
TA2541

TA2541 has used compressed and char-encoded scripts in operations.(Citation: Cisco Operation Layover September 2021)
Leviathan

Leviathan has obfuscated code using gzip compression.(Citation: Proofpoint Leviathan Oct 2017)
Molerats

Molerats has delivered compressed executables within ZIP files to victims.(Citation: Kaspersky MoleRATs April 2019)
Threat Group-3390

Threat Group-3390 malware is compressed with LZNT1 compression.(Citation: Nccgroup Emissary Panda May 2018)(Citation: Securelist LuckyMouse June 2018)(Citation: Unit42 Emissary Panda May 2019)
Higaisa

Higaisa used Base64 encoded compressed payloads.(Citation: Malwarebytes Higaisa 2020)(Citation: Zscaler Higaisa 2020)
Mofang

Mofang has compressed the ShimRat executable within malicious email attachments.(Citation: FOX-IT May 2016 Mofang)

Контрмеры
Контрмера Описание
Antivirus/Antimalware

Antivirus/Antimalware solutions utilize signatures, heuristics, and behavioral analysis to detect, block, and remediate malicious software, including viruses, trojans, ransomware, and spyware. These solutions continuously monitor endpoints and systems for known malicious patterns and suspicious behaviors that indicate compromise. Antivirus/Antimalware software should be deployed across all devices, with automated updates to ensure protection against the latest threats. This mitigation can be implemented through the following measures: Signature-Based Detection: - Implementation: Use predefined signatures to identify known malware based on unique patterns such as file hashes, byte sequences, or command-line arguments. This method is effective against known threats. - Use Case: When malware like "Emotet" is detected, its signature (such as a specific file hash) matches a known database of malicious software, triggering an alert and allowing immediate quarantine of the infected file. Heuristic-Based Detection: - Implementation: Deploy heuristic algorithms that analyze behavior and characteristics of files and processes to identify potential malware, even if it doesn’t match a known signature. - Use Case: If a program attempts to modify multiple critical system files or initiate suspicious network communications, heuristic analysis may flag it as potentially malicious, even if no specific malware signature is available. Behavioral Detection (Behavior Prevention): - Implementation: Use behavioral analysis to detect patterns of abnormal activities, such as unusual system calls, unauthorized file encryption, or attempts to escalate privileges. - Use Case: Behavioral analysis can detect ransomware attacks early by identifying behavior like mass file encryption, even before a specific ransomware signature has been identified. Real-Time Scanning: - Implementation: Enable real-time scanning to automatically inspect files and network traffic for signs of malware as they are accessed, downloaded, or executed. - Use Case: When a user downloads an email attachment, the antivirus solution scans the file in real-time, checking it against both signatures and heuristics to detect any malicious content before it can be opened. Cloud-Assisted Threat Intelligence: - Implementation: Use cloud-based threat intelligence to ensure the antivirus solution can access the latest malware definitions and real-time threat feeds from a global database of emerging threats. - Use Case: Cloud-assisted antivirus solutions quickly identify newly discovered malware by cross-referencing against global threat databases, providing real-time protection against zero-day attacks. **Tools for Implementation**: - Endpoint Security Platforms: Use solutions such as EDR for comprehensive antivirus/antimalware protection across all systems. - Centralized Management: Implement centralized antivirus management consoles that provide visibility into threat activity, enable policy enforcement, and automate updates. - Behavioral Analysis Tools: Leverage solutions with advanced behavioral analysis capabilities to detect malicious activity patterns that don’t rely on known signatures.

Ссылки

  1. Fortgale. (2023, September 18). StrelaStealer Malware Analysis. Retrieved December 31, 2024.
  2. Cisco Talos. (2024, April 24). ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices. Retrieved January 6, 2025.
  3. Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024.
  4. Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017.
  5. Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024.
  6. Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021.
  7. Thomas, W. et al. (2022, February 25). CrowdStrike Falcon Protects from New Wiper Malware Used in Ukraine Cyberattacks. Retrieved March 25, 2022.
  8. Ravie Lakshmanan. (2023, April 5). Hackers Using Self-Extracting Archives Exploit for Stealthy Backdoor Attacks. Retrieved March 3, 2025.
  9. Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020.
  10. Hada, H. (2021, December 28). Flagpro The new malware used by BlackTech. Retrieved March 25, 2022.
  11. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
  12. Benjamin Chang, Goutam Tripathy, Pranay Kumar Chhaparwal, Anmol Maurya & Vishwa Thothathri, Palo Alto Networks. (2024, March 22). Large-Scale StrelaStealer Campaign in Early 2024. Retrieved December 31, 2024.
  13. hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020.
  14. TheWover. (2019, May 9). donut. Retrieved March 25, 2022.
  15. Symantec Threat Hunter Team. (2022, February 24). Ukraine: Disk-wiping Attacks Precede Russian Invasion. Retrieved March 25, 2022.
  16. GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020.
  17. Ray, V. and Hayashi, K. (2019, February 1). Tracking OceanLotus’ new Downloader, KerrDown. Retrieved October 1, 2021.
  18. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.
  19. Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021.
  20. Arthur Vaiselbuh, Peleg Cabra. (2024, November 7). Evasive ZIP Concatenation: Trojan Targets Windows Users. Retrieved March 3, 2025.
  21. Legezo, D. (2018, June 13). LuckyMouse hits national data center to organize country-level waterholing campaign. Retrieved August 18, 2018.
  22. Wardle, Patrick. (2019, January 15). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 2). Retrieved October 3, 2019.
  23. Ventura, V. (2021, September 16). Operation Layover: How we tracked an attack on the aviation industry to five years of compromise. Retrieved September 15, 2023.
  24. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.
  25. Anubhav, A., Jallepalli, D. (2016, September 23). Hancitor (AKA Chanitor) observed using multiple attack approaches. Retrieved August 13, 2020.
  26. Singh, S. Singh, A. (2020, June 11). The Return on the Higaisa APT. Retrieved March 2, 2021.
  27. Red Canary. (2024, March). Red Canary 2024 Threat Detection Report: SocGholish. Retrieved March 22, 2024.
  28. Dani, M. (2022, March 1). Ukrainian Targets Hit by HermeticWiper, New Datawiper Malware. Retrieved March 25, 2022.
  29. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  30. Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7’s Monkey Thief . Retrieved July 27, 2020.
  31. Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021.
  32. Secureworks. (n.d.). GOLD PRELUDE . Retrieved March 22, 2024.
  33. MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021.
  34. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
  35. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
  36. Pantazopoulos, N., Henry T. (2018, May 18). Emissary Panda – A potential new malicious tool. Retrieved June 25, 2018.
  37. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  38. Vrabie, V., et al. (2021, March 10). FIN8 Returns with Improved BADHATCH Toolkit. Retrieved September 8, 2021.
  39. Falcone, R. and Lancaster, T. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.