Data Encrypted

Data is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender. The encryption is performed by a utility, programming library, or custom algorithm on the data itself and is considered separate from any encryption performed by the command and control or file transfer protocol. Common file archive formats that can encrypt files are RAR and zip.

Other exfiltration techniques likely apply as well to transfer the information out of the network, such as Exfiltration Over Command and Control Channel and Exfiltration Over Alternative Protocol

ID: T1022
Tactic: Exfiltration
Platform: Linux, macOS, Windows
Data Sources: File monitoring, Process monitoring, Process command-line parameters, Binary file metadata
Version: 1.0

Procedure Examples

Name Description
ADVSTORESHELL

ADVSTORESHELL encrypts with the 3DES algorithm and a hardcoded key prior to exfiltration.[11]

Agent Tesla

Agent Tesla encrypts the data with 3DES before sending it over the C2 server.[19]

Agent.btz

Agent.btz saves system information into an XML file that is then XOR-encoded.[4]

APT32

APT32 backdoors have encrypted data before exfiltration, including by using RC4 encryption.[44][45]

Backdoor.Oldrea

Backdoor.Oldrea writes collected data to a temporary file in an encrypted form before exfiltration to a C2 server.[14]

BRONZE BUTLER

BRONZE BUTLER has compressed and encrypted data into password-protected RAR archives prior to exfiltration.[39]

CopyKittens

CopyKittens encrypts data with a substitute cipher prior to exfiltration.[37]

CORALDECK

CORALDECK has created password-protected RAR, WinImage, and zip archives to be exfiltrated.[7]

Daserf

Daserf hides collected data in password-protected .rar archives.[12]

Duqu

Modules can be pushed to and executed by Duqu that copy data to a staging area, compress it, and XOR encrypt it.[13]

Emotet

Emotet has been observed encrypting the data it collects before sending it to the C2 server.[26]

Epic

Epic encrypts collected data using a public key framework before sending it over the C2 channel. Some variants encrypt the collected data with AES and encode it with base64 before transmitting it to the C2 server.[21][22]

Exaramel for Windows

Exaramel for Windows automatically encrypts files before sending them to the C2 server. [30]

FELIXROOT

FELIXROOT encrypts collected data with AES and Base64 and then sends it to the C2 server.[24]

FIN6

TRINITY malware used by FIN6 encodes data gathered from the victim with a simple substitution cipher and single-byte XOR using the 0xAA key.[35]

FLASHFLOOD

FLASHFLOOD employs the same encoding scheme as SPACESHIP for data it stages. Data is compressed with zlib, and bytes are rotated four times before being XOR'ed with 0x23.[6]

Gold Dragon

Gold Dragon encrypts data using Base64 before being sent to the command and control server.[23]

HAWKBALL

HAWKBALL has encrypted data with XOR before sending it over the C2 channel.[28]

Honeybee

Honeybee adds collected files to a temp.zip file saved in the %temp% folder, then base64 encodes it and uploads it to control server.[38]

InvisiMole

InvisiMole uses a variation of the XOR cipher to encrypt files before exfiltration.[1]

Ke3chang

Ke3chang is known to use RAR with passwords to encrypt data prior to exfiltration.[33]

Kimsuky

Kimsuky has used RC4 encryption before exfil.[49]

Lazarus Group

Lazarus Group malware IndiaIndia saves information gathered about the victim to a file that is compressed with Zlib, encrypted, and uploaded to a C2 server. Lazarus Group malware RomeoDelta archives specified directories in .zip format, encrypts the .zip file, and uploads it to its C2 server. A Lazarus Group malware sample encrypts data using a simple byte based XOR operation prior to exfiltration.[40][41][42][43]

LightNeuron

LightNeuron contains a function to encrypt and store emails that it collects.[29]

Machete

Machete's collected data is encrypted with AES before exfiltration. [31]

menuPass

menuPass has encrypted files and information before exfiltration.[46]

More_eggs

More_eggs has used an RC4-based encryption method for its C2 communications.[32]

OSX_OCEANLOTUS.D

OSX_OCEANLOTUS.D scrambles and encrypts data using AES256 before sending it to the C2 server.[20]

OwaAuth

OwaAuth DES-encrypts captured credentials using the key 12345678 before writing the credentials to a log file.[2]

Patchwork

Patchwork encrypted the collected files' path with AES and then encoded them with base64.[34]

Prikormka

After collecting files and logs from the victim, Prikormka encrypts some collected data with Blowfish.[25]

RawPOS

RawPOS encodes credit card data it collected from the victim with XOR.[16][17][18]

Reaver

Reaver encrypts collected data with an incremental XOR key prior to exfiltration.[15]

Remexi

Remexi encrypts and adds all gathered browser data into files for upload to C2.[27]

RGDoor

RGDoor encrypts files with XOR before sending them back to the C2 server.[5]

Soft Cell

Soft Cell used winrar to compress and encrypt stolen data prior to exfiltration.[48]

SPACESHIP

Data SPACESHIP copies to the staging area is compressed with zlib. Bytes are rotated by four positions and XOR'ed with 0x23.[6]

T9000

T9000 encrypts collected data using a single byte XOR key.[8]

Threat Group-3390

Threat Group-3390 has used RAR to compress, encrypt, and password-protect files prior to exfiltration.[36]

Turla

Turla has encrypted files stolen from connected USB drives into a RAR file before exfiltration.[47]

VERMIN

VERMIN encrypts the collected files using 3-DES.[3]

Zebrocy

Zebrocy uses an encryption method similar to RC4 as well as AES to encrypt data before exfiltration.[9][10]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

Encryption software and encrypted files can be detected in many ways. Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known encryption utilities. This may yield a significant amount of benign events, depending on how systems in the environment are typically used. Often the encryption key is stated within command-line invocation of the software.

A process that loads the Windows DLL crypt32.dll may be used to perform encryption, decryption, or verification of file signatures.

Network traffic may also be analyzed for entropy to determine if encrypted data is being transmitted. [50] If the communications channel is unencrypted, encrypted files of known file types can be detected in transit during exfiltration with a network intrusion detection or data loss prevention system analyzing file headers. [51]

References

  1. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  2. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
  3. Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018.
  4. Shevchenko, S.. (2008, November 30). Agent.btz - A Threat That Hit Pentagon. Retrieved April 8, 2016.
  5. Falcone, R. (2018, January 25). OilRig uses RGDoor IIS Backdoor on Targets in the Middle East. Retrieved July 6, 2018.
  6. FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.
  7. FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.
  8. Grunzweig, J. and Miller-Osborn, J.. (2016, February 4). T9000: Advanced Modular Backdoor Uses Complex Anti-Analysis Techniques. Retrieved April 15, 2016.
  9. Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018.
  10. ESET. (2018, November 20). Sednit: What’s going on with Zebrocy?. Retrieved February 12, 2019.
  11. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  12. DiMaggio, J. (2016, April 28). Tick cyberespionage group zeros in on Japan. Retrieved July 16, 2018.
  13. Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015.
  14. Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
  15. Grunzweig, J. and Miller-Osborn, J. (2017, November 10). New Malware with Ties to SunOrcal Discovered. Retrieved November 16, 2017.
  16. TrendLabs Security Intelligence Blog. (2015, April). RawPOS Technical Brief. Retrieved October 4, 2017.
  17. Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017.
  18. Visa. (2015, March). Visa Security Alert: "RawPOS" Malware Targeting Lodging Merchants. Retrieved October 6, 2017.
  19. Brumaghin, E., et al. (2018, October 15). Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox. Retrieved November 5, 2018.
  20. Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018.
  21. Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
  22. Kaspersky Lab's Global Research & Analysis Team. (2014, August 06). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroboros. Retrieved November 7, 2018.
  23. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018.
  24. Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved July 31, 2018.
  25. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
  26. Xiaopeng Zhang. (2017, May 3). Deep Analysis of New Emotet Variant – Part 1. Retrieved April 1, 2019.
  1. Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019.
  2. Patil, S. and Williams, M.. (2019, June 5). Government Sector in Central Asia Targeted With New HAWKBALL Backdoor Delivered via Microsoft Office Vulnerabilities. Retrieved June 20, 2019.
  3. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.
  4. Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018.
  5. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
  6. Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019.
  7. Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.
  8. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  9. FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016.
  10. Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.
  11. Minerva Labs LTD and ClearSky Cyber Security. (2015, November 23). CopyKittens Attack Group. Retrieved September 11, 2017.
  12. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
  13. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  14. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  15. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016.
  16. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016.
  17. Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018.
  18. Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019.
  19. Dumont, R.. (2019, April 9). OceanLotus: macOS malware update. Retrieved April 15, 2019.
  20. United States District Court Southern District of New York (USDC SDNY) . (2018, December 17). United States of America v. Zhu Hua and Zhang Shilong. Retrieved April 17, 2019.
  21. Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019.
  22. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
  23. Tarakanov , D.. (2013, September 11). The “Kimsuky” Operation: A North Korean APT?. Retrieved August 13, 2019.
  24. Zhang, H., Papadopoulos, C., & Massey, D. (2013, April). Detecting encrypted botnet traffic. Retrieved August 19, 2015.
  25. Wikipedia. (2016, March 31). List of file signatures. Retrieved April 22, 2016.