Data Obfuscation: Junk Data

Adversaries may add junk data to protocols used for command and control to make detection more difficult. By adding random or meaningless data to the protocols used for command and control, adversaries can prevent trivial methods for decoding, deciphering, or otherwise analyzing the traffic. Examples may include appending/prepending data with junk characters or writing junk characters between significant characters.

ID: T1001.001
Sub-technique of:  T1001
Platforms: Linux, Windows, macOS
Version: 1.0
Created: 15 March 2020
Last Modified: 15 March 2020

Procedure Examples

ID Name Description
G0007 APT28

APT28 added "junk data" to each encoded string, preventing trivial decoding without knowledge of the junk removal algorithm. Each implant was given a "junk length" value when created, tracked by the controller software to allow seamless communication but prevent analysis of the command protocol on the wire.[1]

S0574 BendyBear

BendyBear has used byte randomization to obscure its behavior.[2]

S0134 Downdelph

Downdelph inserts pseudo-random characters between each original character during encoding of C2 network requests, making it difficult to write signatures on them.[3]

S0588 GoldMax

GoldMax has used decoy traffic to surround its malicious network traffic to avoid detection.[4]

S0632 GrimAgent

GrimAgent can pad C2 messages with random generated values.[5]

S1020 Kevin

Kevin can generate a sequence of dummy HTTP C2 requests to obscure traffic.[6]

S1047 Mori

Mori has obfuscated the FML.dll with 200MB of junk data.[7]

S0016 P2P ZeuS

P2P ZeuS added junk data to outgoing UDP packets to peer implants.[8]

S0626 P8RAT

P8RAT can send randomly-generated data as part of its C2 communication.[9]

S0435 PLEAD

PLEAD samples were found to be highly obfuscated with junk code.[10][11]

S0559 SUNBURST

SUNBURST added junk bytes to its C2 over HTTP.[12]

S0682 TrailBlazer

TrailBlazer has used random identifier strings to obscure its C2 operations and result codes.[13]

S0647 Turian

Turian can insert pseudo-random characters into its network encryption setup.[14]

S0022 Uroburos

Uroburos can add extra characters in encoded strings to help mimic DNS legitimate requests.[15]

S0514 WellMess

WellMess can use junk data in the Base64 string for additional obfuscation.[16]

Mitigations

ID Mitigation Description
M1031 Network Intrusion Prevention

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate some obfuscation activity at the network level.

Detection

ID Data Source Data Component Detects
DS0029 Network Traffic Network Traffic Content

Monitor and analyze traffic patterns and packet inspection associated to protocol(s), leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

References