Obfuscated Files or Information, Technique T1027 - Enterprise (original) (raw)
2016 Ukraine Electric Power Attack
During the 2016 Ukraine Electric Power Attack, Sandworm Team used heavily obfuscated code with Industroyer in its Windows Notepad backdoor.[7]
During the 3CX Supply Chain Attack, AppleJeus payloads use AES-256 GCM cipher to encrypt data to include ICONICSTEALER and VEILEDSIGNAL.[8][9]
Action RAT's commands, strings, and domains can be Base64 encoded within the payload.[10]
Most of the strings in ADVSTORESHELL are encrypted with an XOR-based algorithm; some strings are also encrypted with 3DES and reversed. API function names are also reversed, presumably to avoid detection in memory.[11][12]
Agent Tesla has had its code obfuscated in an apparent attempt to make analysis difficult.[13] Agent Tesla has used the Rijndael symmetric encryption algorithm to encrypt strings.[14]
Amadey has obfuscated strings such as antivirus vendor names, domains, files, and others.[15]
Anchor has obfuscated code with stack strings and string encryption.[16]
ANELLDR code implements anti-analysis techniques including control flow flattening and Mixed Boolean Arithmetic (MBA).[17]
AppleJeus has XOR-encrypted collected system information prior to sending to a C2. AppleJeus has also used the open source ADVObfuscation library for its components.[18]
AppleSeed has the ability to Base64 encode its payload and custom encrypt API calls.[19]
APT-C-36 has used ConfuserEx to obfuscate its variant of Imminent Monitor, compressed payloads and RAT packages, and password protected encrypted email attachments to avoid detection.[20] APT-C-36 has also compressed initial droppers into ZIP, LHA and UUE formats.[21]
APT3 obfuscates files or information to help evade defensive measures.[22]
APT37 obfuscates strings and payloads.[23][24][25]
APT41 used VMProtected binaries in multiple intrusions.[26]
Avaddon has used encrypted strings.[27]
AvosLocker has used XOR-encoded strings.[28]
BackdoorDiplomacy has obfuscated tools and malware it uses with VMProtect.[29]
BlackOasis's first stage shellcode contains a NOP sled with alternative instructions that was likely designed to bypass antivirus tools.[30]
BOOKWORM has been delivered using self-extracting RAR archives.[31]
BoomBox can encrypt data using AES prior to exfiltration.[32]
BoxCaon used the "StackStrings" obfuscation technique to hide malicious functionalities.[33]
BPFDoor can require a password to activate the backdoor and uses RC4 encryption or static library encryption libtomcrypt.[34]
BRICKSTORM has utilized Go libraries to include Garble to obfuscate code.[35][36]
Brute Ratel C4 has used encrypted payload files and maintains an encrypted configuration structure in memory.[37][38]
Bumblebee has been delivered as password-protected zipped ISO files and used control-flow-flattening to obfuscate the flow of functions.[39][40][41]
Bundlore has obfuscated data with base64, AES, RC4, and bz2.[42]
BUSHWALK can encrypt the resulting data generated from C2 commands with RC4.[43]
During C0015, the threat actors used Base64-encoded strings.[44]
During C0017, APT41 broke malicious binaries, including DEADEYE and KEYPLUG, into multiple sections on disk to evade detection.[45]
Carbanak encrypts strings to make analysis more difficult.[46]
Carbon encrypts configuration files and tasks for the malware to complete using CAST-128 algorithm.[47][48]
CARROTBALL has used a custom base64 alphabet to decode files.[49]
CHIMNEYSWEEP can use a custom Base64 alphabet to encode an API decryption key.[50]
The Clambling executable has been obfuscated when dropped on a compromised host.[51]
COATHANGER can store obfuscated configuration information in the last 56 bytes of the file /date/.bd.key/preload.so.[52]
Cobalt Strike can hash functions to obfuscate calls to the Windows API and use a public/private key pair to encrypt Beacon session metadata.[53][54]
CoinTicker initially downloads a hidden encoded file.[55]
Comnie uses RC4 and Base64 to obfuscate strings.[56]
ComRAT has encrypted its virtual file system using AES-256 in XTS mode.[57][58]
Conficker has obfuscated its code to prevent its removal from host machines.[59]
Conti can use compiler-based obfuscation for its code, encrypt DLLs, and hide Windows API calls.[60][61][62]
CORESHELL obfuscates strings using a custom stream cipher.[63]
Cuba has used multiple layers of obfuscation to avoid analysis, including its Base64 encoded payload.[64]
DarkGate uses a hard-coded string as a seed, along with the victim machine hardware identifier and input text, to generate a unique string used as an internal mutex value to evade static detection based on mutexes.[65]
DarkTortilla has been obfuscated with the DeepSea .NET and ConfuserEx code obfuscators.[66]
Daserf uses encrypted Windows APIs and also encrypts data using the alternative base64+RC4 or the Caesar cipher.[67]
Denis obfuscates its code and encrypts the API names.[68]
Diavol has Base64 encoded the RSA public key used for encrypting files.[69]
DRATzarus can be partly encrypted with XOR.[70]
Dridex's strings are obfuscated using RC4.[71]
Drovorub has used XOR encrypted payloads in WebSocket client to server messages.[72]
The DustySky dropper uses a function to obfuscate the name of functions and other parts of the malware.[73]
Earth Lusca used Base64 to encode strings.[74]
Ebury has obfuscated its strings with a simple XOR encryption with a static key.[75]
ECCENTRICBANDWAGON has encrypted strings with RC4.[76]
Ecipekac can use XOR, AES, and DES to encrypt loader shellcode.[77]
EKANS uses encoded strings in its process kill list.[78]
Epic heavily obfuscates its code to make analysis more difficult.[79]
FatDuke can use base64 encoding, string stacking, and opaque predicates for obfuscation.[80]
Final1stspy obfuscates strings with base64 encoding.[81]
FinFisher is heavily obfuscated in many ways, including through the use of spaghetti code in its functions in an effort to confuse disassembly programs. It also uses a custom XOR algorithm to obfuscate code.[82][83]
Flagpro has been delivered within ZIP or RAR password-protected archived files.[84]
Fooder has stored its embedded payload in encrypted form within the binary, using a hardcoded key modified at runtime to produce the AES decryption key.[85]
GALLIUM used a modified version of HTRAN in which they obfuscated strings such as debug messages in an apparent attempt to evade detection.[86]
Gallmaker obfuscated shellcode used during execution.[87]
Gamaredon Group has delivered self-extracting 7z archive files within malicious document attachments.[88] Additionally, Gamaredon Group has used an obfuscated .drv file.[89]
The Gootloader first stage script is obfuscated using random alpha numeric strings.[90][91]
Green Lambert has encrypted strings.[92][93]
GrimAgent has used Rotate on Right (RoR) and Rotate on Left (RoL) functionality to encrypt strings.[94]
H1N1 uses multiple techniques to obfuscate strings, including XOR.[95]
Hancitor has used Base64 to encode malicious links.[96]
HTTPBrowser's code may be obfuscated through structured exception handling and return-oriented programming.[97]
HTTPTroy has obfuscated strings using Single Instruction Multiple Data (SIMD) instructions to hinder analysis and detection.[98]
Hydraq uses basic obfuscation in the form of spaghetti code.[99][100]
Imminent Monitor has encrypted the spearphish attachments to avoid detection from email gateways; the debugger also encrypts information before sending to the C2.[20]
Industroyer uses heavily obfuscated code in its Windows Notepad backdoor.[7]
InnaputRAT uses an 8-byte XOR key to obfuscate API names and other strings contained in the payload.[101]
InvisiMole avoids analysis by encrypting all strings, internal files, configuration data and by using a custom executable format.[102][103]
ISMInjector is obfuscated with the off-the-shelf SmartAssembly .NET obfuscator created by red-gate.com.[104]
A JPIN uses a encrypted and compressed payload that is disguised as a bitmap within the resource section of the installer.[105]
jRAT’s Java payload is encrypted with AES.[106] Additionally, backdoor files are encrypted using DES as a stream cipher. Later variants of jRAT also incorporated AV evasion methods such as Java bytecode obfuscation via the commercial Allatori obfuscation tool.[107]
Kazuar is obfuscated using the open source ConfuserEx protector. Kazuar also obfuscates the name of created files/folders/mutexes and encrypts debug messages written to log files using the Rijndael cipher.[108]
Ke3chang has used Base64-encoded shellcode strings.[109]
KillDisk uses VMProtect to make reverse engineering the malware more difficult.[110]
Kimsuky has obfuscated binary strings including the use of XOR encryption and Base64 encoding.[111][112] Kimsuky has also modified the first byte of DLL implants targeting victims to prevent recognition of the executable file format.[113] Kimsuky has obfuscated strings using Single Instruction Multiple Data (SIMD) instructions that complicate static analysis.[98]
Kobalos encrypts all strings using RC4 and bundles all functionality into a single function call.[114]
Lizar has obfuscated the fingerprint of the victim system, the local IP address, and the Fowler-Noll-V 1 (FNV-1) hash of the local IP address using an XOR operation. The data is then sent to the C2 server.[115]
LODEINFO has used control flow flattening to obfuscate code.[116]
Lokibot has obfuscated strings with base64 encoding.[117]
Lumma Stealer has used SmartAssembly to obfuscate .NET payloads.[118]
Matryoshka obfuscates API function names using a substitute cipher combined with Base64 encoding.[119]
Maze has decrypted strings and other important information during the encryption process. Maze also calls certain functions dynamically to hinder analysis.[120]
MCMD can Base64 encode output strings prior to sending to C2.[121]
MiniDuke can use control flow flattening to obscure code.[80]
Moonstone Sleet delivers encrypted payloads in pieces that are then combined together to form a new portable executable (PE) file during installation.[122]
Mustang Panda has delivered initial payloads hidden using archives and encoding measures.[123][124][125][126][127][128][129][130][31] [131][132][133] Mustang Panda has also utilized opaque predicates in payloads to hinder analysis.[134]
NanoCore’s plugins were obfuscated with Eazfuscater.NET 3.3.[135]
NETWIRE has used a custom obfuscation algorithm to hide strings including Registry keys, APIs, and DLL names.[136]
NightClub can obfuscate strings using the congruential generator (LCG): staten+1 = (690069 × staten + 1) mod 232.[137]
NOKKI uses Base64 encoding for strings.[138]
NOOPLDR can use control flow flattening to help hide malicious code.[139][140]
OLDBAIT obfuscates internal strings and unpacks them at startup.[63]
OopsIE uses the Confuser protector to obfuscate an embedded .Net Framework assembly used for C2. OopsIE also encodes collected data in hexadecimal format before writing to files on disk and obfuscates strings.[141][142]
Some Orz strings are base64 encoded, such as the embedded DLL known as MockDll.[143]
Out1 has the ability to encode data.[144]
P.A.S. Webshell can use encryption and base64 encoding to hide strings and to enforce access control once deployed.[145]
Pillowmint has obfuscated the AES key used for encryption.[146]
Pisloader obfuscates files by splitting strings into smaller sub-strings and including "garbage" strings that are never used. The malware also uses return-oriented programming (ROP) technique and single-byte XOR to obfuscate data.[147]
PlugX can use API hashing and modify the names of strings to evade detection.[51][130]
PoetRAT has used a custom encryption scheme for communication between scripts.[148]
PoisonIvy hides any strings related to its own indicators of compromise.[149]
PolyglotDuke can custom encrypt strings.[80]
POSHSPY appends a file signature header (randomly selected from six file types) to encrypted data prior to upload or download.[150]
PowerStallion uses a XOR cipher to encrypt command output written to its OneDrive C2 server.[151]
PUBLOAD has obfuscated DLL names using the ror13AddHash32 algorithm.[124]
PUNCHBUGGY has hashed most its code's functions and encrypted payloads with base64 and XOR.[152]
PUNCHTRACK is loaded and executed by a highly obfuscated launcher.[153]
QakBot has hidden code within Excel spreadsheets by turning the font color to white and splitting it across multiple cells.[154]
Ramsay has base64-encoded its portable executable and hidden itself under a JPG header. Ramsay can also embed information within document footers.[155]
Raspberry Robin uses mixed-case letters for filenames and commands to evade detection.[156]
RedCurl has used malware with string encryption.[157] RedCurl has also encrypted data and has encoded PowerShell commands using Base64.[158][159] RedCurl has used PyArmor to obfuscate code execution of LaZagne. [158] Additionally, RedCurl has obfuscated downloaded files by renaming them as commonly used tools and has used echo, instead of file names themselves, to execute files.[160]
RegDuke can use control-flow flattening or the commercially available .NET Reactor for obfuscation.[80]
Remcos uses RC4 and base64 to obfuscate data, including Registry entries and file paths.[161] Remcos can also employ control flow flattening to hinder analysis.[162]
Rocke has modified UPX headers after packing files to break unpackers.[163]
ROKRAT can encrypt data prior to exfiltration by using an RSA public key.[25][164]
RTM strings, network data, configuration, and modules are encrypted with a modified RC4 algorithm.[165][166]
RustyWater has an obfuscated function (i.e. love_me__()) that dynamically reconstructs the string WScript.Shell using hard-coded ASCII values and the Chr() function.[167]
Ryuk can use anti-disassembly and code transformation obfuscation techniques.[62]
Saint Bot has been obfuscated to help avoid detection.[168]
Samurai can encrypt the names of requested APIs.[169]
Sandworm Team has used Base64 encoding within malware variants.[170]
Sardonic can use certain ConfuserEx features for obfuscation and can be encoded in a base64 string.[171]
SDBbot has the ability to XOR the strings for its installer component with a hardcoded 128 byte key.[172]
ShadowPad has encrypted its payload, a virtual file system, and various files.[173][74]
Shai-Hulud has utilized double-base64 encoding to store stolen secrets within the Github Action Logs within the victim account.[174][175][176][177] Shai-Hulud has also leveraged three layers of base64 encoding of exfiltrated data for anti-forensic purposes.[178]
Shamoon contains base64-encoded strings.[179]
ShimRatReporter encrypted gathered information with a combination of shifting and XOR using a static key.[180]
SHOTPUT is obscured using XOR encoding and appended to a valid GIF file.[181][182]
Siloscape itself is obfuscated and uses obfuscated API calls.[183]
Sliver obfuscates configuration and other static files using native Go libraries such as garble and gobfuscate to inhibit configuration analysis and static detection.[184]
SLOWPULSE can hide malicious code in the padding regions between legitimate functions in the Pulse Secure libdsplibs.so file.[185]
Small Sieve has the ability to use a custom hex byte swapping encoding scheme combined with an obfuscated Base64 function to protect program strings and Telegram credentials.[186]
Snip3 has the ability to obfuscate strings using XOR encryption.[187]
SodaMaster can use "stackstrings" for obfuscation.[77]
SombRAT can encrypt strings with XOR-based routines and use a custom AES storage format for plugins, configuration, C2 domains, and harvested data.[188][189][190]
SoreFang has the ability to encode and RC6 encrypt data sent to C2.[191]
StreamEx obfuscates some commands by using statically programmed fragments of strings when starting a DLL. It also uses a one-byte xor against 0x91 to encode configuration data.[192]
StrelaStealer has been distributed in ISO archives.[193] StrelaStealer has been delivered in encrypted, password-protected ZIP archives.[194]
SUNBURST obfuscated collected system information using a FNV-1a + XOR algorithm.[195]
SUNSPOT encrypted log entries it collected with the stream cipher RC4 using a hard-coded key. It also uses AES128-CBC encrypted blobs for SUNBURST source code and data extracted from the SolarWinds Orion <MsBuild.exe process.[196]
SVCReady can encrypt victim data with an RC4 cipher.[197]
SynAck payloads are obfuscated prior to compilation to inhibit analysis and/or reverse engineering.[198][199]
TajMahal has used an encrypted Virtual File System to store plugins.[200]
TEARDROP created and read from a file with a fake JPG header, and its payload was encrypted with a simple rotating XOR cipher.[195][201][202]
TrickBot uses non-descriptive names to hide functionality.[203]
Trojan.Karagany can base64 encode and AES-128-CBC encrypt data prior to transmission.[204]
Turian can use VMProtect for obfuscation.[29]
Valak has the ability to base64 encode and XOR encrypt strings.[205][206][207]
Windshift has used string encoding with floating point calculations.[208]
A version of XTunnel introduced in July 2015 obfuscated the binary using opaque predicates and other techniques in a likely attempt to obfuscate it and bypass security products.[209]