An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Both compression and encryption are done prior to exfiltration, and can be performed using a utility, 3rd party library, or custom method.
ID | Name | Description |
---|---|---|
S0045 | ADVSTORESHELL |
ADVSTORESHELL encrypts with the 3DES algorithm and a hardcoded key prior to exfiltration.[1] |
S0331 | Agent Tesla |
Agent Tesla can encrypt data with 3DES before sending it over to a C2 server.[2] |
S0622 | AppleSeed |
AppleSeed has compressed collected data before exfiltration.[3] |
G0007 | APT28 |
APT28 used a publicly available tool to gather and compress multiple documents on the DCCC and DNC networks.[4] |
G0050 | APT32 |
APT32's backdoor has used LZMA compression and RC4 encryption before exfiltration.[5] |
S0456 | Aria-body |
Aria-body has used ZIP to compress data gathered on a compromised host.[6] |
G0001 | Axiom |
Axiom has compressed and encrypted data prior to exfiltration.[7] |
S0093 | Backdoor.Oldrea |
Backdoor.Oldrea writes collected data to a temporary file in an encrypted form before exfiltration to a C2 server.[8] |
S0521 | BloodHound |
BloodHound can compress data collected by its SharpHound ingestor into a ZIP file to be written to disk.[9] |
S0657 | BLUELIGHT | |
S0454 | Cadelspy |
Cadelspy has the ability to compress stolen data into a .cab file.[11] |
S0187 | Daserf |
Daserf hides collected data in password-protected .rar archives.[12] |
G0035 | Dragonfly |
Dragonfly has compressed data into .zip files prior to exfiltration.[13] |
S0567 | Dtrack |
Dtrack packs collected data into a password protected archive.[14] |
S0367 | Emotet |
Emotet has been observed encrypting the data it collects before sending it to the C2 server. [15] |
S0363 | Empire | |
S0091 | Epic |
Epic encrypts collected data using a public key framework before sending it over the C2 channel.[17] Some variants encrypt the collected data with AES and encode it with base64 before transmitting it to the C2 server.[18] |
S0343 | Exaramel for Windows |
Exaramel for Windows automatically encrypts files before sending them to the C2 server.[19] |
S0267 | FELIXROOT |
FELIXROOT encrypts collected data with AES and Base64 and then sends it to the C2 server.[20] |
G0037 | FIN6 |
Following data collection, FIN6 has compressed log files into a ZIP archive prior to staging and exfiltration.[21] |
S0249 | Gold Dragon |
Gold Dragon encrypts data using Base64 before being sent to the command and control server.[22] |
G0072 | Honeybee |
Honeybee adds collected files to a temp.zip file saved in the %temp% folder, then base64 encodes it and uploads it to control server.[23] |
G0004 | Ke3chang |
The Ke3chang group has been known to compress data before exfiltration.[24] |
S0487 | Kessel |
Kessel can RC4-encrypt credentials before sending to the C2.[25] |
S0356 | KONNI |
KONNI has encrypted data and files prior to exfiltration.[26] |
G0032 | Lazarus Group |
Lazarus Group has compressed exfiltrated data with RAR and used RomeoDelta malware to archive specified directories in .zip format, encrypt the .zip file, and upload it to C2. [27][28][29][30] |
G0065 | Leviathan |
Leviathan has archived victim's data prior to exfiltration.[31] |
S0395 | LightNeuron |
LightNeuron contains a function to encrypt and store emails that it collects.[32] |
S0681 | Lizar |
Lizar has encrypted data before sending it to the server.[33] |
S0010 | Lurid | |
S0409 | Machete |
Machete stores zipped files with profile data from installed web browsers.[35] |
G0045 | menuPass |
menuPass has encrypted files and information before exfiltration.[36][37] |
S0198 | NETWIRE |
NETWIRE has the ability to compress archived screenshots.[38] |
G0040 | Patchwork |
Patchwork encrypted the collected files' path with AES and then encoded them with base64.[39] |
S0517 | Pillowmint |
Pillowmint has encrypted stolen credit card information with AES and further encoded it with Base64.[40] |
S0113 | Prikormka |
After collecting documents from removable media, Prikormka compresses the collected files, and encrypts it with Blowfish.[41] |
S0279 | Proton | |
S0375 | Remexi |
Remexi encrypts and adds all gathered browser data into files for upload to C2.[43] |
S0253 | RunningRAT |
RunningRAT contains code to compress files.[22] |
S0445 | ShimRatReporter |
ShimRatReporter used LZ compression to compress initial reconnaissance reports before sending to the C2.[44] |
S0586 | TAINTEDSCRIBE |
TAINTEDSCRIBE has used |
S0257 | VERMIN | |
S0515 | WellMail | |
S0658 | XCSSET |
XCSSET will compress entire |
S0251 | Zebrocy |
Zebrocy has used a method similar to RC4 as well as AES for encryption and hexadecimal for encoding data before exfiltration. [49][50][51] |
ID | Mitigation | Description |
---|---|---|
M1047 | Audit |
System scans can be performed to identify unauthorized archival utilities. |
ID | Data Source | Data Component |
---|---|---|
DS0017 | Command | Command Execution |
DS0022 | File | File Creation |
DS0009 | Process | Process Creation |
DS0012 | Script | Script Execution |
Archival software and archived files can be detected in many ways. Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known archival utilities. This may yield a significant number of benign events, depending on how systems in the environment are typically used.
A process that loads the Windows DLL crypt32.dll may be used to perform encryption, decryption, or verification of file signatures.
Consider detecting writing of files with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.[52]