Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Техника Архивация с помощью специального метода
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Архивация с помощью специально...
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Archive Collected Data:  Архивация с помощью специального метода

ID Название
.001 Архивация с помощью утилиты
.002 Архивация с помощью библиотеки
.003 Архивация с помощью специального метода

An adversary may compress or encrypt data that is collected prior to exfiltration using a custom method. Adversaries may choose to use custom archival methods, such as encryption with XOR or stream ciphers implemented with no external library or utility references. Custom implementations of well-known compression algorithms have also been used.(Citation: ESET Sednit Part 2)

ID: T1560.003
Относится к технике:  T1560
Тактика(-и): Collection
Платформы: Linux, macOS, Windows
Источники данных: File: File Creation, Script: Script Execution
Версия: 1.0
Дата создания: 20 Feb 2020
Последнее изменение: 25 Mar 2020

Примеры процедур
Название Описание
Attor

Attor encrypts collected data with a custom implementation of Blowfish and RSA ciphers.(Citation: ESET Attor Oct 2019)
BLUELIGHT

BLUELIGHT has encoded data into a binary blob using XOR.(Citation: Volexity InkySquid BLUELIGHT August 2021)
FIN6

FIN6 has encoded data gathered from the victim with a simple substitution cipher and single-byte XOR using the 0xAA key, and Base64 with character permutation.(Citation: FireEye FIN6 April 2016)(Citation: Trend Micro FIN6 October 2019)
Duqu

Modules can be pushed to and executed by Duqu that copy data to a staging area, compress it, and XOR encrypt it.(Citation: Symantec W32.Duqu)
Stuxnet

Stuxnet encrypts exfiltrated data via C2 with static 31-byte long XOR keys.(Citation: Symantec W.32 Stuxnet Dossier)
SPACESHIP

Data SPACESHIP copies to the staging area is compressed with zlib. Bytes are rotated by four positions and XOR'ed with 0x23.(Citation: FireEye APT30)
CopyKittens

CopyKittens encrypts data with a substitute cipher prior to exfiltration.(Citation: CopyKittens Nov 2015)
FoggyWeb

FoggyWeb can use a dynamic XOR key and a custom XOR methodology to encode data before exfiltration. Also, FoggyWeb can encode C2 command output within a legitimate WebP file.(Citation: MSTIC FoggyWeb September 2021)
NETWIRE

NETWIRE has used a custom encryption algorithm to encrypt collected data.(Citation: FireEye NETWIRE March 2019)
Rising Sun

Rising Sun can archive data using RC4 encryption and Base64 encoding prior to exfiltration.(Citation: McAfee Sharpshooter December 2018)

StrongPity

StrongPity can compress and encrypt archived files into multiple .sft files with a repeated xor encryption scheme.(Citation: Talos Promethium June 2020)(Citation: Bitdefender StrongPity June 2020)
RGDoor

RGDoor encrypts files with XOR before sending them back to the C2 server.(Citation: Unit 42 RGDoor Jan 2018)
RawPOS

RawPOS encodes credit card data it collected from the victim with XOR.(Citation: TrendMicro RawPOS April 2015)(Citation: Mandiant FIN5 GrrCON Oct 2016)(Citation: Visa RawPOS March 2015)
Ramsay

Ramsay can store collected documents in a custom container after encrypting and compressing them using RC4 and WinRAR.(Citation: Eset Ramsay May 2020)
Mustang Panda

Mustang Panda has encrypted documents with RC4 prior to exfiltration.(Citation: Avira Mustang Panda January 2020)
Kimsuky

Kimsuky has used RC4 encryption before exfil.(Citation: Securelist Kimsuky Sept 2013)
OopsIE

OopsIE compresses collected files with a simple character replacement scheme before sending them to its C2 server.(Citation: Unit 42 OopsIE! Feb 2018)
SombRAT

SombRAT has encrypted collected data with AES-256 using a hardcoded key.(Citation: BlackBerry CostaRicto November 2020)
Machete

Machete's collected data is encrypted with AES before exfiltration.(Citation: ESET Machete July 2019)

OSX_OCEANLOTUS.D

OSX_OCEANLOTUS.D scrambles and encrypts data using AES256 before sending it to the C2 server.(Citation: TrendMicro MacOS April 2018)(Citation: Trend Micro MacOS Backdoor November 2020)
Reaver

Reaver encrypts collected data with an incremental XOR key prior to exfiltration.(Citation: Palo Alto Reaver Nov 2017)
HAWKBALL

HAWKBALL has encrypted data with XOR before sending it over the C2 channel.(Citation: FireEye HAWKBALL Jun 2019)
OwaAuth

OwaAuth DES-encrypts captured credentials using the key 12345678 before writing the credentials to a log file.(Citation: Dell TG-3390)
InvisiMole

InvisiMole uses a variation of the XOR cipher to encrypt files before exfiltration.(Citation: ESET InvisiMole June 2018)
T9000

T9000 encrypts collected data using a single byte XOR key.(Citation: Palo Alto T9000 Feb 2016)
ADVSTORESHELL

ADVSTORESHELL compresses output data generated by command execution with a custom implementation of the Lempel–Ziv–Welch (LZW) algorithm.(Citation: ESET Sednit Part 2)
Squirrelwaffle

Squirrelwaffle has encrypted collected data using a XOR-based algorithm.(Citation: ZScaler Squirrelwaffle Sep 2021)
Okrum

Okrum has used a custom implementation of AES encryption to encrypt collected data.(Citation: ESET Okrum July 2019)
FunnyDream

FunnyDream has compressed collected files with zLib and encrypted them using an XOR operation with the string key from the command line or `qwerasdf` if the command line argument doesn’t contain the key. File names are obfuscated using XOR with the same key as the compressed file content.(Citation: Bitdefender FunnyDream Campaign November 2020)
MESSAGETAP

MESSAGETAP has XOR-encrypted and stored contents of SMS messages that matched its target list. (Citation: FireEye MESSAGETAP October 2019)
SUGARDUMP

SUGARDUMP has encrypted collected data using AES CBC mode and encoded it using Base64.(Citation: Mandiant UNC3890 Aug 2022)
FrameworkPOS

FrameworkPOS can XOR credit card information before exfiltration.(Citation: SentinelOne FrameworkPOS September 2019)
Agent.btz

Agent.btz saves system information into an XML file that is then XOR-encoded.(Citation: ThreatExpert Agent.btz)
Lazarus Group

A Lazarus Group malware sample encrypts data using a simple byte based XOR operation prior to exfiltration.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Loaders)(Citation: Novetta Blockbuster RATs)(Citation: McAfee Lazarus Resurfaces Feb 2018)
FLASHFLOOD

FLASHFLOOD employs the same encoding scheme as SPACESHIP for data it stages. Data is compressed with zlib, and bytes are rotated four times before being XOR'ed with 0x23.(Citation: FireEye APT30)

Обнаружение

Custom archival methods can be very difficult to detect, since many of them use standard programming language concepts, such as bitwise operations.

Ссылки

  1. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  2. Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021.
  3. Patil, S. and Williams, M.. (2019, June 5). Government Sector in Central Asia Targeted With New HAWKBALL Backdoor Delivered via Microsoft Office Vulnerabilities. Retrieved June 20, 2019.
  4. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.
  5. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
  6. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
  7. Grunzweig, J. and Miller-Osborn, J.. (2016, February 4). T9000: Advanced Modular Backdoor Uses Complex Anti-Analysis Techniques. Retrieved April 15, 2016.
  8. Leong, R., Perez, D., Dean, T. (2019, October 31). MESSAGETAP: Who’s Reading Your Text Messages?. Retrieved May 11, 2020.
  9. Nicolas Falliere, Liam O. Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier. Retrieved December 7, 2020.
  10. Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.
  11. Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020.
  12. Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020.
  13. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020.
  14. Visa. (2015, March). Visa Security Alert: "RawPOS" Malware Targeting Lodging Merchants. Retrieved October 6, 2017.
  15. Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017.
  16. TrendLabs Security Intelligence Blog. (2015, April). RawPOS Technical Brief. Retrieved October 4, 2017.
  17. Magisa, L. (2020, November 27). New MacOS Backdoor Connected to OceanLotus Surfaces. Retrieved December 2, 2020.
  18. Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018.
  19. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  20. Grunzweig, J. and Miller-Osborn, J. (2017, November 10). New Malware with Ties to SunOrcal Discovered. Retrieved November 16, 2017.
  21. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.
  22. Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015.
  23. FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.
  24. Maniath, S. and Kadam P. (2019, March 19). Dissecting a NETWIRE Phishing Campaign's Usage of Process Hollowing. Retrieved January 7, 2021.
  25. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
  26. Chen, J. (2019, October 10). Magecart Card Skimmers Injected Into Online Shops. Retrieved September 9, 2020.
  27. FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016.
  28. Minerva Labs LTD and ClearSky Cyber Security. (2015, November 23). CopyKittens Attack Group. Retrieved September 11, 2017.
  29. Falcone, R. (2018, January 25). OilRig uses RGDoor IIS Backdoor on Targets in the Middle East. Retrieved July 6, 2018.
  30. Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018.
  31. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  32. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016.
  33. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016.
  34. Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021.
  35. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.
  36. Kremez, V. (2019, September 19). FIN6 “FrameworkPOS”: Point-of-Sale Malware Analysis & Internals. Retrieved September 8, 2020.
  37. Tarakanov , D.. (2013, September 11). The “Kimsuky” Operation: A North Korean APT?. Retrieved August 13, 2019.
  38. Mandiant Israel Research Team. (2022, August 17). Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors. Retrieved September 21, 2022.
  39. Shevchenko, S.. (2008, November 30). Agent.btz - A Threat That Hit Pentagon. Retrieved April 8, 2016.
  40. Kumar, A., Stone-Gross, Brett. (2021, September 28). Squirrelwaffle: New Loader Delivering Cobalt Strike. Retrieved August 9, 2022.
  41. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021.
  42. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.