1. Home
  2. Techniques
  3. Mobile
  4. Data Encrypted

Data Encrypted

Data is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender. The encryption is performed by a utility, programming library, or custom algorithm on the data itself and is considered separate from any encryption performed by the command and control or file transfer protocol. Common file formats that can encrypt files are RAR and zip.

ID: T1532
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactic: Exfiltration
Platforms: Android, iOS
Version: 1.0
Created: 10 October 2019
Last Modified: 10 October 2019

Procedure Examples

ID Name Description
S0422 Anubis

Anubis exfiltrates data encrypted (with RC4) by its ransomware module.[1]
S0540 Asacub

Asacub has encrypted C2 communications using Base64-encoded RC4.[2]
S0505 Desert Scorpion

Desert Scorpion can encrypt exfiltrated data.[3]
S0405 Exodus

Exodus One encrypts data using XOR prior to exfiltration.[4]

S0577 FrozenCell

FrozenCell has compressed and encrypted data before exfiltration using password protected .7z archives.[5]
S0535 Golden Cup

Golden Cup has encrypted exfiltrated data using AES in ECB mode.[6]
S0421 GolfSpy

GolfSpy encrypts data using a simple XOR operation with a pre-configured key prior to exfiltration.[7]
S0424 Triada

Triada encrypts data prior to exfiltration.[8]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

Many encryption mechanisms are built into standard application-accessible APIs, and are therefore undetectable to the end user.

References

  1. M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020.
  2. T. Shishkova. (2018, August 28). The rise of mobile banker Asacub. Retrieved December 14, 2020.
  3. A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.
  4. Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019.
  1. Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020.
  2. R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020.
  3. E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.
  4. Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019.