Register to stream ATT&CKcon 2.0 October 29-30

Data Compressed

An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. The compression is done separately from the exfiltration channel and is performed using a custom program or algorithm, or a more common compression library or utility such as 7zip, RAR, ZIP, or zlib.

ID: T1002
Tactic: Exfiltration
Platform: Linux, Windows, macOS
Data Sources: Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Version: 1.0

Procedure Examples

Name Description
ADVSTORESHELL ADVSTORESHELL compresses output data generated by command execution with a custom implementation of the Lempel–Ziv–Welch (LZW) algorithm. [12]
APT1 APT1 has used RAR to compress files before moving them outside of the victim network. [27]
APT28 APT28 used a publicly available tool to gather and compress multiple documents on the DCCC and DNC networks. [34]
APT3 APT3 has used tools to compress data before exfilling it. [33]
APT32 APT32's backdoor has used LZMA compression before exfiltration. [44]
APT33 APT33 has used WinRAR to compress data prior to exfil. [45]
APT39 APT39 has used WinRAR and 7-Zip to compress an archive stolen data. [43]
BBSRAT BBSRAT can compress data with ZLIB prior to sending it back to the C2 server. [22]
BRONZE BUTLER BRONZE BUTLER has compressed data into password-protected RAR archives prior to exfiltration. [24]
Calisto Calisto uses the zip -r command to compress the data collected on the local system. [13] [14]
Cardinal RAT Cardinal RAT applies compression to C2 traffic using the ZLIB library. [18]
CopyKittens CopyKittens uses ZPP, a .NET console program, to compress files with ZIP. [25]
CORALDECK CORALDECK has created password-protected RAR, WinImage, and zip archives to be exfiltrated. [20]
Daserf Daserf hides collected data in password-protected .rar archives. [8]
Denis Denis compressed collected data using zlib. [21]
Dragonfly 2.0 Dragonfly 2.0 compressed data into .zip files prior to exfiltrating it. [39]
Duqu Modules can be pushed to and executed by Duqu that copy data to a staging area, compress it, and XOR encrypt it. [7]
Empire Empire can ZIP directories on the target system. [2]
Epic Epic compresses the collected data with bzip2 before sending it to the C2 server. [6]
FIN6 Following data collection, FIN6 has compressed log files into a ZIP archive prior to staging and exfiltration. [29]
FIN8 FIN8 has used RAR to compress collected data before. [28]
Gallmaker Gallmaker has used WinZip, likely to archive data prior to exfiltration. [46]
Honeybee Honeybee adds collected files to a temp.zip file saved in the %temp% folder, then base64 encodes it and uploads it to control server. [26]
iKitten iKitten will zip up the /Library/Keychains directory before exfiltrating it. [15]
InvisiMole InvisiMole uses WinRAR to compress data that is intended to be exfiltrated. [19]
Ke3chang The Ke3chang group has been known to compress data before exfiltration. [38]
Lazarus Group Lazarus Group malware IndiaIndia saves information gathered about the victim to a file that is compressed with Zlib, encrypted, and uploaded to a C2 server. Lazarus Group malware RomeoDelta archives specified directories in .zip format, encrypts the .zip file, and uploads it to its C2 server. [40] [41] [42]
Lurid Lurid can compress data before sending it. [17]
Magic Hound Magic Hound has used RAR to stage and compress local folders. [32]
menuPass menuPass has compressed files before exfiltration using TAR and RAR. [36] [37]
Micropsia Micropsia creates a RAR archive based on collected files on the victim's machine. [16]
MuddyWater MuddyWater has used the native Windows cabinet creation tool, makecab.exe, likely to compress stolen data to be uploaded. [35]
OopsIE OopsIE compresses collected files with both the GZipStream class and a simple character replacement scheme before sending them to its C2 server. [9]
PoshC2 PoshC2 contains a module for compressing data using ZIP. [3]
Prikormka After collecting documents from removable media, Prikormka compresses the collected files. [10]
Proton Proton zips up files before exfiltrating them. [15]
PUNCHBUGGY PUNCHBUGGY has Gzipped information and saved it to a random temp file before exfil. [23]
Pupy Pupy can compress data with Zip before sending it over C2. [1]
RunningRAT RunningRAT contains code to compress files. [4]
SeaDuke SeaDuke compressed data with zlib prior to sending it over C2. [5]
Soft Cell Soft Cell used winrar to compress and encrypt stolen data prior to exfiltration. [47]
Sowbug Sowbug extracted documents and bundled them into a RAR archive. [30]
Threat Group-3390 Threat Group-3390 has used RAR to compress, encrypt, and password-protect files prior to exfiltration. [31]
ZLib The ZLib backdoor compresses communications using the standard Zlib compression library. [11]

Mitigations

Mitigation Description
Network Intrusion Prevention Network intrusion prevention or data loss prevention tools may be set to block specific file types from leaving the network over unencrypted channels. An adversary may move to an encrypted channel or use other mechanisms of encapsulating the traffic in these situations.

Detection

Compression software and compressed files can be detected in many ways. Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known compression utilities. This may yield a significant amount of benign events, depending on how systems in the environment are typically used.

If the communications channel is unencrypted, compressed files can be detected in transit during exfiltration with a network intrusion detection or data loss prevention system analyzing file headers. [48]

References

  1. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  2. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  3. Nettitude. (2016, June 8). PoshC2: Powershell C2 Server and Implants. Retrieved April 23, 2019.
  4. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018.
  5. Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved October 4, 2016.
  6. Kaspersky Lab's Global Research & Analysis Team. (2014, August 06). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroboros. Retrieved November 7, 2018.
  7. Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015.
  8. DiMaggio, J. (2016, April 28). Tick cyberespionage group zeros in on Japan. Retrieved July 16, 2018.
  9. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.
  10. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
  11. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved September 19, 2017.
  12. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  13. Kuzin, M., Zelensky S. (2018, July 20). Calisto Trojan for macOS. Retrieved September 7, 2018.
  14. Pantig, J. (2018, July 30). OSX.Calisto. Retrieved September 7, 2018.
  15. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
  16. Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018.
  17. Villeneuve, N., Sancho, D. (2011). THE “LURID” DOWNLOADER. Retrieved November 12, 2014.
  18. Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018.
  19. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  20. FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.
  21. Shulmin, A., Yunakovsky, S. (2017, April 28). Use of DNS Tunneling for C&C Communications. Retrieved November 5, 2018.
  22. Lee, B. Grunzweig, J. (2015, December 22). BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger. Retrieved August 19, 2016.
  23. Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019.
  24. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  1. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.
  2. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
  3. Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
  4. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  5. FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016.
  6. Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017.
  7. Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.
  8. Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018.
  9. valsmith. (2012, September 21). More on APTSim. Retrieved September 28, 2017.
  10. Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.
  11. Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018.
  12. PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017.
  13. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  14. Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.
  15. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  16. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  17. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016.
  18. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016.
  19. Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019.
  20. Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019.
  21. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.
  22. Symantec Security Response. (2018, October 10). Gallmaker: New Attack Group Eschews Malware to Live off the Land. Retrieved November 27, 2018.
  23. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
  24. Wikipedia. (2016, March 31). List of file signatures. Retrieved April 22, 2016.