Archive Collected Data: Архивация с помощью библиотеки
Other sub-techniques of Archive Collected Data (3)
An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party libraries. Many libraries exist that can archive data, including Python rarfile (Citation: PyPI RAR), libzip (Citation: libzip), and zlib (Citation: Zlib Github). Most libraries include functionality to encrypt and/or compress data. Some archival libraries are preinstalled on systems, such as bzip2 on macOS and Linux, and zip on Windows. Note that the libraries are different from the utilities. The libraries can be linked against when compiling, while the utilities require spawning a subshell, or a similar execution mechanism.
Примеры процедур |
|
| Название | Описание |
|---|---|
| TajMahal |
TajMahal has the ability to use the open source libraries XZip/Xunzip and zlib to compress files.(Citation: Kaspersky TajMahal April 2019) |
| ZLib |
The ZLib backdoor compresses communications using the standard Zlib compression library.(Citation: Cylance Dust Storm) |
| BBSRAT |
BBSRAT can compress data with ZLIB prior to sending it back to the C2 server.(Citation: Palo Alto Networks BBSRAT) |
| InvisiMole |
InvisiMole can use zlib to compress and decompress data.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020) |
| SeaDuke |
SeaDuke compressed data with zlib prior to sending it over C2.(Citation: Mandiant No Easy Breach) |
| Denis |
Denis compressed collected data using zlib.(Citation: Securelist Denis April 2017) |
| Epic |
Epic compresses the collected data with bzip2 before sending it to the C2 server.(Citation: Kaspersky Turla Aug 2014) |
| BADFLICK |
BADFLICK has compressed data using the aPLib compression library.(Citation: Accenture MUDCARP March 2019) |
| Cardinal RAT |
Cardinal RAT applies compression to C2 traffic using the ZLIB library.(Citation: PaloAlto CardinalRat Apr 2017) |
| Lazarus Group |
Lazarus Group malware IndiaIndia saves information gathered about the victim to a file that is compressed with Zlib, encrypted, and uploaded to a C2 server.(Citation: Novetta Blockbuster RATs)(Citation: McAfee Lazarus Resurfaces Feb 2018) |
| FoggyWeb |
FoggyWeb can invoke the `Common.Compress` method to compress data with the C# GZipStream compression class.(Citation: MSTIC FoggyWeb September 2021) |
| FunnyDream |
FunnyDream has compressed collected files with zLib.(Citation: Bitdefender FunnyDream Campaign November 2020) |
| Threat Group-3390 |
Threat Group-3390 has used RAR to compress, encrypt, and password-protect files prior to exfiltration.(Citation: SecureWorks BRONZE UNION June 2017) |
Обнаружение
Monitor processes for accesses to known archival libraries. This may yield a significant number of benign events, depending on how systems in the environment are typically used. Consider detecting writing of files with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.(Citation: Wikipedia File Header Signatures)
Ссылки
- Wikipedia. (2016, March 31). List of file signatures. Retrieved April 22, 2016.
- madler. (2017). zlib. Retrieved February 20, 2020.
- D. Baron, T. Klausner. (2020). libzip. Retrieved February 20, 2020.
- mkz. (2020). rarfile 3.1. Retrieved February 20, 2020.
- Shulmin, A., Yunakovsky, S. (2017, April 28). Use of DNS Tunneling for C&C Communications. Retrieved November 5, 2018.
- Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018.
- Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016.
- Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.
- Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
- Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018.
- Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved October 4, 2016.
- Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
- Lee, B. Grunzweig, J. (2015, December 22). BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger. Retrieved August 19, 2016.
- Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
- Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
- Accenture iDefense Unit. (2019, March 5). Mudcarp's Focus on Submarine Technologies. Retrieved August 24, 2021.
- GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019.
- Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021.
- Kaspersky Lab's Global Research & Analysis Team. (2014, August 06). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroboros. Retrieved November 7, 2018.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.