Thanks to all of our ATT&CKcon participants. All sessions are here, and individual presentations will be posted soon.

Data Compressed

An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. The compression is done separately from the exfiltration channel and is performed using a custom program or algorithm, or a more common compression library or utility such as 7zip, RAR, ZIP, or zlib.

ID: T1002

Tactic: Exfiltration

Platform:  Linux, Windows, macOS

Data Sources:  Binary file metadata, File monitoring, Process command-line parameters, Process monitoring

Requires Network:  No

Version: 1.0

Examples

NameDescription
ADVSTORESHELL

ADVSTORESHELL compresses output data generated by command execution with a custom implementation of the Lempel–Ziv–Welch (LZW) algorithm.[1]

APT1

APT1 has used RAR to compress files before moving them outside of the victim network.[2]

APT28

APT28 used a publicly available tool to gather and compress multiple documents on the DCCC and DNC networks.[3]

APT3

APT3 has used tools to compress data before exfilling it.[4]

BRONZE BUTLER

BRONZE BUTLER has compressed data into password-protected RAR archives prior to exfiltration.[5]

Calisto

Calisto uses the zip -r command to compress the data collected on the local system.[6][7]

CopyKittens

CopyKittens uses ZPP, a .NET console program, to compress files with ZIP.[8]

CORALDECK

CORALDECK has created password-protected RAR, WinImage, and zip archives to be exfiltrated.[9]

Daserf

Daserf hides collected data in password-protected .rar archives.[10]

Dragonfly 2.0

Dragonfly 2.0 compressed data into .zip files prior to exfiltrating it.[11]

Duqu

Modules can be pushed to and executed by Duqu that copy data to a staging area, compress it, and XOR encrypt it.[12]

FIN6

Following data collection, FIN6 has compressed log files into a ZIP archive prior to staging and exfiltration.[13]

FIN8

FIN8 has used RAR to compress collected data before.[14]

Honeybee

Honeybee adds collected files to a temp.zip file saved in the %temp% folder, then base64 encodes it and uploads it to control server.[15]

iKitten

iKitten will zip up the /Library/Keychains directory before exfiltrating it.[16]

InvisiMole

InvisiMole uses WinRAR to compress data that is intended to be exfiltrated.[17]

Ke3chang

The Ke3chang group has been known to compress data before exfiltration.[18]

Lazarus Group

Lazarus Group malware IndiaIndia saves information gathered about the victim to a file that is compressed with Zlib, encrypted, and uploaded to a C2 server. Lazarus Group malware RomeoDelta archives specified directories in .zip format, encrypts the .zip file, and uploads it to its C2 server.[19][20][21]

Lurid

Lurid can compress data before sending it.[22]

Magic Hound

Magic Hound has used RAR to stage and compress local folders.[23]

menuPass

menuPass has compressed files before exfiltration using TAR and RAR.[24][25]

OopsIE

OopsIE compresses collected files with both the GZipStream class and a simple character replacement scheme before sending them to its C2 server.[26]

Prikormka

After collecting documents from removable media, Prikormka compresses the collected files.[27]

Proton

Proton zips up files before exfiltrating them.[16]

Pupy

Pupy can compress data with Zip before sending it over C2.[28]

RunningRAT

RunningRAT contains code to compress files.[29]

SeaDuke

SeaDuke compressed data with zlib prior to sending it over C2.[30]

Sowbug

Sowbug extracted documents and bundled them into a RAR archive.[31]

Threat Group-3390

Threat Group-3390 has used RAR to compress, encrypt, and password-protect files prior to exfiltration.[32]

ZLib

The ZLib backdoor compresses communications using the standard Zlib compression library.[33]

Mitigation

Identify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to compress files, and audit and/or block them by using whitelisting [34] tools, like AppLocker, [35] [36] or Software Restriction Policies [37] where appropriate. [38]

If network intrusion prevention or data loss prevention tools are set to block specific file types from leaving the network over unencrypted channels, then an adversary may move to an encrypted channel.

Detection

Compression software and compressed files can be detected in many ways. Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known compression utilities. This may yield a significant amount of benign events, depending on how systems in the environment are typically used.

If the communications channel is unencrypted, compressed files can be detected in transit during exfiltration with a network intrusion detection or data loss prevention system analyzing file headers. [39]

References

  1. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  2. Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
  3. Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.
  4. valsmith. (2012, September 21). More on APTSim. Retrieved September 28, 2017.
  5. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  6. Kuzin, M., Zelensky S. (2018, July 20). Calisto Trojan for macOS. Retrieved September 7, 2018.
  7. Pantig, J. (2018, July 30). OSX.Calisto. Retrieved September 7, 2018.
  8. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.
  9. FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.
  10. DiMaggio, J. (2016, April 28). Tick cyberespionage group zeros in on Japan. Retrieved July 16, 2018.
  11. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  12. Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015.
  13. FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016.
  14. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  15. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
  16. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
  17. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  18. Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.
  19. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  20. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016.
  1. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016.
  2. Villeneuve, N., Sancho, D. (2011). THE “LURID” DOWNLOADER. Retrieved November 12, 2014.
  3. Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018.
  4. PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017.
  5. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  6. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.
  7. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
  8. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  9. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018.
  10. Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved October 4, 2016.
  11. Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017.
  12. Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.
  13. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved September 19, 2017.
  14. Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.
  15. Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.
  16. NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.
  17. Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.
  18. Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.
  19. Wikipedia. (2016, March 31). List of file signatures. Retrieved April 22, 2016.