Data Obfuscation

Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, commingling legitimate traffic with C2 communications traffic, or using a non-standard data encoding system, such as a modified Base64 encoding for the message body of an HTTP request.

ID: T1001
Tactic: Command And Control
Platform: Linux, macOS, Windows
Data Sources: Packet capture, Process use of network, Process monitoring, Network protocol analysis
Requires Network:  Yes
Version: 1.0

Procedure Examples

Name Description
APT28

APT28 added "junk data" to each encoded string, preventing trivial decoding without knowledge of the junk removal algorithm. Each implant was given a "junk length" value when created, tracked by the controller software to allow seamless communication but prevent analysis of the command protocol on the wire.[22]

Axiom

The Axiom group has used other forms of obfuscation, include commingling legitimate traffic with communications traffic so that network streams appear legitimate. Some malware that has been used by Axiom also uses steganography to hide communication in PNG image files.[23]

Backdoor.Oldrea

Some Backdoor.Oldrea samples use standard Base64 + bzip2, and some use standard Base64 + reverse XOR + RSA-2048 to decrypt data received from C2 servers.[1]

BACKSPACE

Newer variants of BACKSPACE will encode C2 communications with a custom system.[15]

BADNEWS

After encrypting C2 data, BADNEWS converts it into a hexadecimal representation and then encodes it into base64.[18]

Bankshot

Bankshot generates a false TLS handshake using a public certificate to disguise C2 network communications.[16]

Cobian RAT

Cobian RAT obfuscates communications with the C2 server using Base64 encoding.[17]

Daserf

Daserf can use steganography to hide malicious code downloaded to the victim.[2]

Downdelph

Downdelph inserts pseudo-random characters between each original character during encoding of C2 network requests, making it difficult to write signatures on them.[6]

Duqu

When the Duqu command and control is operating over HTTP or HTTPS, Duqu uploads data to its controller by appending it to a blank JPG file.[5]

FakeM

FakeM C2 traffic attempts to evade detection by resembling data generated by legitimate messenger applications, such as MSN and Yahoo! messengers.[14]

FlawedAmmyy

FlawedAmmyy may obfuscate portions of the initial C2 handshake.[20]

H1N1

H1N1 obfuscates C2 traffic with an altered version of base64.[10]

HAMMERTOSS

HAMMERTOSS is controlled via commands that are appended to image files.[4]

HOPLIGHT

HOPLIGHT has utilized Zlib compression to obfuscate the communications payload.
[19]

Ixeshe

Ixeshe uses custom Base64 encoding schemes to obfuscate command and control traffic in the message body of HTTP requests.[7][8]

LightNeuron

LightNeuron is controlled via commands that are embedded into PDFs and JPGs using steganographic methods.[21]

P2P ZeuS

P2P ZeuS added junk data to outgoing UDP packets to peer implants.[13]

QUADAGENT

QUADAGENT encodes C2 communications with base64.[9]

RogueRobin

RogueRobin base64 encodes strings that are sent to the C2 over its DNS tunnel.[3]

ZeroT

ZeroT has retrieved stage 2 payloads as Bitmap images that use Least Significant Bit (LSB) steganography.[11][12]

Mitigations

Mitigation Description
Network Intrusion Prevention

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate some obfuscation activity at the network level.

Detection

Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. [24]

References

  1. Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
  2. Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017.
  3. Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.
  4. FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved September 17, 2015.
  5. Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015.
  6. ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.
  7. Moran, N., & Villeneuve, N. (2013, August 12). Survival of the Fittest: New York Times Attackers Evolve Quickly [Blog]. Retrieved November 12, 2014.
  8. Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019.
  9. Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.
  10. Reynolds, J.. (2016, September 14). H1N1: Technical analysis reveals new capabilities – part 2. Retrieved September 26, 2016.
  11. Axel F. (2017, April 27). APT Targets Financial Analysts with CVE-2017-0199. Retrieved February 15, 2018.
  12. Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018.