Archive Collected Data, Technique T1560 - Enterprise (original) (raw)

S0045

ADVSTORESHELL

ADVSTORESHELL encrypts with the 3DES algorithm and a hardcoded key prior to exfiltration.[2]

S0331

Agent Tesla

Agent Tesla can encrypt data with 3DES before sending it over to a C2 server.[3]

S0622

AppleSeed

AppleSeed has compressed collected data before exfiltration.[4]

G0007

APT28

APT28 used a publicly available tool to gather and compress multiple documents on the DCCC and DNC networks.[1]

G0050

APT32

APT32's backdoor has used LZMA compression and RC4 encryption before exfiltration.[5]

S0456

Aria-body

Aria-body has used ZIP to compress data gathered on a compromised host.[6]

G0001

Axiom

Axiom has compressed and encrypted data prior to exfiltration.[7]

S0093

Backdoor.Oldrea

Backdoor.Oldrea writes collected data to a temporary file in an encrypted form before exfiltration to a C2 server.[8]

G1043

BlackByte

BlackByte compressed data collected from victim environments prior to exfiltration.[9]

S0521

BloodHound

BloodHound can compress data collected by its SharpHound ingestor into a ZIP file to be written to disk.[10][11]

S0657

BLUELIGHT

BLUELIGHT can zip files before exfiltration.[12]

S1039

Bumblebee

Bumblebee can compress data stolen from the Registry and volume shadow copies prior to exfiltration.[13]

S0454

Cadelspy

Cadelspy has the ability to compress stolen data into a .cab file.[14]

S0667

Chrommme

Chrommme can encrypt and store on disk collected data before exfiltration.[15]

S0187

Daserf

Daserf hides collected data in password-protected .rar archives.[16]

G0035

Dragonfly

Dragonfly has compressed data into .zip files prior to exfiltration.[17]

S0567

Dtrack

Dtrack packs collected data into a password protected archive.[18]

G1003

Ember Bear

Ember Bear has compressed collected data prior to exfiltration.[19]

S0363

Empire

Empire can ZIP directories on the target system.[20]

S0091

Epic

Epic encrypts collected data using a public key framework before sending it over the C2 channel.[21] Some variants encrypt the collected data with AES and encode it with base64 before transmitting it to the C2 server.[22]

S0343

Exaramel for Windows

Exaramel for Windows automatically encrypts files before sending them to the C2 server.[23]

S0267

FELIXROOT

FELIXROOT encrypts collected data with AES and Base64 and then sends it to the C2 server.[24]

G0037

FIN6

Following data collection, FIN6 has compressed log files into a ZIP archive prior to staging and exfiltration.[25]

S0249

Gold Dragon

Gold Dragon encrypts data using Base64 before being sent to the command and control server.[26]

S1206

JumbledPath

JumbledPath can compress and encrypt exfiltrated packet captures from targeted devices.[27]

G0004

Ke3chang

The Ke3chang group has been known to compress data before exfiltration.[28]

S0487

Kessel

Kessel can RC4-encrypt credentials before sending to the C2.[29]

S0356

KONNI

KONNI has encrypted data and files prior to exfiltration.[30]

G0032

Lazarus Group

Lazarus Group has compressed exfiltrated data with RAR and used RomeoDelta malware to archive specified directories in .zip format, encrypt the .zip file, and upload it to C2. [31][32][33]

G0065

Leviathan

Leviathan has archived victim's data prior to exfiltration.[34]

S0395

LightNeuron

LightNeuron contains a function to encrypt and store emails that it collects.[35]

S0681

Lizar

Lizar has encrypted data before sending it to the server.[36]

S1101

LoFiSe

LoFiSe can collect files into password-protected ZIP-archives for exfiltration.[37]

S9036

LP-Notes

LP-Notes has encrypted collected credentials using AES-CBC from the CNG API and the key ED15C8344B45DAED1E0578F8BC1A32411812C61F4CB45D89B107287DE0E09FFC
and the initialization vector 91A4E6F6D51DAEE773A8F00279792578.[38]

G1014

LuminousMoth

LuminousMoth has manually archived stolen files from victim machines before exfiltration.[39]

S0010

Lurid

Lurid can compress data before sending it.[40]

S0409

Machete

Machete stores zipped files with profile data from installed web browsers.[41]

G0045

menuPass

menuPass has encrypted files and information before exfiltration.[42][43]

S9032

MuddyViper

MuddyViper has archived collected web browser data into a file named CacheDump.zip.[38]

S0198

NETWIRE

NETWIRE has the ability to compress archived screenshots.[44]

G0040

Patchwork

Patchwork encrypted the collected files' path with AES and then encoded them with base64.[45]

S0517

Pillowmint

Pillowmint has encrypted stolen credit card information with AES and further encoded it with Base64.[46]

S1012

PowerLess

PowerLess can encrypt browser database files prior to exfiltration.[47]

S0113

Prikormka

After collecting documents from removable media, Prikormka compresses the collected files, and encrypts it with Blowfish.[48]

S0279

Proton

Proton zips up files before exfiltrating them.[49]

S1148

Raccoon Stealer

Raccoon Stealer archives collected system information in a text f ile, System info.txt, prior to exfiltration.[50]

S0375

Remexi

Remexi encrypts and adds all gathered browser data into files for upload to C2.[51]

S0253

RunningRAT

RunningRAT contains code to compress files.[26]

S0445

ShimRatReporter

ShimRatReporter used LZ compression to compress initial reconnaissance reports before sending to the C2.[52]

S1140

Spica

Spica can archive collected documents for exfiltration.[53]

S0586

TAINTEDSCRIBE

TAINTEDSCRIBE has used FileReadZipSend to compress a file and send to C2.[54]

S1196

Troll Stealer

Troll Stealer compresses stolen data prior to exfiltration.[55]

S0257

VERMIN

VERMIN encrypts the collected files using 3-DES.[56]

S0515

WellMail

WellMail can archive files on the compromised host.[57]

S0658

XCSSET

XCSSET will compress entire ~/Desktop folders excluding all .git folders, but only if the total data size is under 200MB.[58]

S0251

Zebrocy

Zebrocy has used a method similar to RC4 as well as AES for encryption and hexadecimal for encoding data before exfiltration. [59][60][61]