Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and Deobfuscate/Decode Files or Information for User Execution. The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. [1] Adversaries may also use compressed or archived scripts, such as JavaScript.
Portions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. [2] Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. [3]
Adversaries may also abuse Command Obfuscation to obscure commands executed from payloads or directly via Command and Scripting Interpreter. Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms. [4] [5][6]
ID | Name | Description |
---|---|---|
C0025 | 2016 Ukraine Electric Power Attack |
During the 2016 Ukraine Electric Power Attack, Sandworm Team used heavily obfuscated code with Industroyer in its Windows Notepad backdoor.[7] |
S1028 | Action RAT |
Action RAT's commands, strings, and domains can be Base64 encoded within the payload.[8] |
S0045 | ADVSTORESHELL |
Most of the strings in ADVSTORESHELL are encrypted with an XOR-based algorithm; some strings are also encrypted with 3DES and reversed. API function names are also reversed, presumably to avoid detection in memory.[9][10] |
S0331 | Agent Tesla |
Agent Tesla has had its code obfuscated in an apparent attempt to make analysis difficult.[11] Agent Tesla has used the Rijndael symmetric encryption algorithm to encrypt strings.[12] |
S1025 | Amadey |
Amadey has obfuscated strings such as antivirus vendor names, domains, files, and others.[13] |
S0504 | Anchor |
Anchor has obfuscated code with stack strings and string encryption.[14] |
S0584 | AppleJeus |
AppleJeus has XOR-encrypted collected system information prior to sending to a C2. AppleJeus has also used the open source ADVObfuscation library for its components.[15] |
S0622 | AppleSeed |
AppleSeed has the ability to Base64 encode its payload and custom encrypt API calls.[16] |
G0099 | APT-C-36 |
APT-C-36 has used ConfuserEx to obfuscate its variant of Imminent Monitor, compressed payload and RAT packages, and password protected encrypted email attachments to avoid detection.[17] |
G0022 | APT3 |
APT3 obfuscates files or information to help evade defensive measures.[18] |
G0067 | APT37 | |
G0096 | APT41 | |
S0640 | Avaddon | |
S1053 | AvosLocker |
AvosLocker has used XOR-encoded strings.[24] |
G0135 | BackdoorDiplomacy |
BackdoorDiplomacy has obfuscated tools and malware it uses with VMProtect.[25] |
G0063 | BlackOasis |
BlackOasis's first stage shellcode contains a NOP sled with alternative instructions that was likely designed to bypass antivirus tools.[26] |
S0635 | BoomBox |
BoomBox can encrypt data using AES prior to exfiltration.[27] |
S0651 | BoxCaon |
BoxCaon used the "StackStrings" obfuscation technique to hide malicious functionalities.[28] |
S1063 | Brute Ratel C4 |
Brute Ratel C4 has used encrypted payload files and maintains an encrypted configuration structure in memory.[29][30] |
S1039 | Bumblebee |
Bumblebee has been delivered as password-protected zipped ISO files and used control-flow-flattening to obfuscate the flow of functions.[31][32][33] |
S0482 | Bundlore |
Bundlore has obfuscated data with base64, AES, RC4, and bz2.[34] |
S1118 | BUSHWALK |
BUSHWALK can encrypt the resulting data generated from C2 commands with RC4.[35] |
C0015 | C0015 |
During C0015, the threat actors used Base64-encoded strings.[36] |
C0017 | C0017 |
During C0017, APT41 broke malicious binaries, including DEADEYE and KEYPLUG, into multiple sections on disk to evade detection.[37] |
S0030 | Carbanak |
Carbanak encrypts strings to make analysis more difficult.[38] |
S0335 | Carbon |
Carbon encrypts configuration files and tasks for the malware to complete using CAST-128 algorithm.[39][40] |
S0465 | CARROTBALL |
CARROTBALL has used a custom base64 alphabet to decode files.[41] |
S0660 | Clambling |
The Clambling executable has been obfuscated when dropped on a compromised host.[42] |
S1105 | COATHANGER |
COATHANGER can store obfuscated configuration information in the last 56 bytes of the file |
S0154 | Cobalt Strike |
Cobalt Strike can hash functions to obfuscate calls to the Windows API and use a public/private key pair to encrypt Beacon session metadata.[44][45] |
S0369 | CoinTicker |
CoinTicker initially downloads a hidden encoded file.[46] |
S0244 | Comnie | |
S0126 | ComRAT |
ComRAT has encrypted its virtual file system using AES-256 in XTS mode.[48][49] |
S0608 | Conficker |
Conficker has obfuscated its code to prevent its removal from host machines.[50] |
S0575 | Conti |
Conti can use compiler-based obfuscation for its code, encrypt DLLs, and hide Windows API calls.[51][52][53] |
S0137 | CORESHELL |
CORESHELL obfuscates strings using a custom stream cipher.[54] |
S0625 | Cuba |
Cuba has used multiple layers of obfuscation to avoid analysis, including its Base64 encoded payload.[55] |
S1111 | DarkGate |
DarkGate uses a hard-coded string as a seed, along with the victim machine hardware identifier and input text, to generate a unique string used as an internal mutex value to evade static detection based on mutexes.[56] |
S1066 | DarkTortilla |
DarkTortilla has been obfuscated with the DeepSea .NET and ConfuserEx code obfuscators.[57] |
S0187 | Daserf |
Daserf uses encrypted Windows APIs and also encrypts data using the alternative base64+RC4 or the Caesar cipher.[58] |
S0354 | Denis | |
S0659 | Diavol |
Diavol has Base64 encoded the RSA public key used for encrypting files.[60] |
S0695 | Donut |
Donut can generate encrypted, compressed/encoded, or otherwise obfuscated code modules.[61] |
S0694 | DRATzarus | |
S0384 | Dridex | |
S0502 | Drovorub |
Drovorub has used XOR encrypted payloads in WebSocket client to server messages.[64] |
S0062 | DustySky |
The DustySky dropper uses a function to obfuscate the name of functions and other parts of the malware.[65] |
G1006 | Earth Lusca |
Earth Lusca used Base64 to encode strings.[66] |
S0377 | Ebury |
Ebury has obfuscated its strings with a simple XOR encryption with a static key.[67] |
S0593 | ECCENTRICBANDWAGON |
ECCENTRICBANDWAGON has encrypted strings with RC4.[68] |
S0624 | Ecipekac |
Ecipekac can use XOR, AES, and DES to encrypt loader shellcode.[69] |
S0605 | EKANS | |
G1003 | Ember Bear |
Ember Bear has obfuscated malware to help avoid detection.[71] |
S0091 | Epic |
Epic heavily obfuscates its code to make analysis more difficult.[72] |
S0512 | FatDuke |
FatDuke can use base64 encoding, string stacking, and opaque predicates for obfuscation.[73] |
S0355 | Final1stspy |
Final1stspy obfuscates strings with base64 encoding.[74] |
S0182 | FinFisher |
FinFisher is heavily obfuscated in many ways, including through the use of spaghetti code in its functions in an effort to confuse disassembly programs. It also uses a custom XOR algorithm to obfuscate code.[75][76] |
S0696 | Flagpro |
Flagpro has been delivered within ZIP or RAR password-protected archived files.[77] |
G0093 | GALLIUM |
GALLIUM used a modified version of HTRAN in which they obfuscated strings such as debug messages in an apparent attempt to evade detection.[78] |
G0084 | Gallmaker | |
G0047 | Gamaredon Group |
Gamaredon Group has delivered self-extracting 7z archive files within malicious document attachments.[80] |
S0477 | Goopy |
Goopy's decrypter have been inflated with junk code in between legitimate API functions, and also included infinite loops to avoid analysis.[59] |
S0690 | Green Lambert |
Green Lambert has encrypted strings.[81][82] |
S0632 | GrimAgent |
GrimAgent has used Rotate on Right (RoR) and Rotate on Left (RoL) functionality to encrypt strings.[83] |
S0132 | H1N1 |
H1N1 uses multiple techniques to obfuscate strings, including XOR.[84] |
S0499 | Hancitor |
Hancitor has used Base64 to encode malicious links. Hancitor has also delivered compressed payloads in ZIP files to victims.[85][86] |
S0070 | HTTPBrowser |
HTTPBrowser's code may be obfuscated through structured exception handling and return-oriented programming.[87] |
S0203 | Hydraq |
Hydraq uses basic obfuscation in the form of spaghetti code.[88][89] |
S0434 | Imminent Monitor |
Imminent Monitor has encrypted the spearphish attachments to avoid detection from email gateways; the debugger also encrypts information before sending to the C2.[17] |
S0604 | Industroyer |
Industroyer uses heavily obfuscated code in its Windows Notepad backdoor.[7] |
S0259 | InnaputRAT |
InnaputRAT uses an 8-byte XOR key to obfuscate API names and other strings contained in the payload.[90] |
S0260 | InvisiMole |
InvisiMole avoids analysis by encrypting all strings, internal files, configuration data and by using a custom executable format.[91][92] |
S0189 | ISMInjector |
ISMInjector is obfuscated with the off-the-shelf SmartAssembly .NET obfuscator created by red-gate.com.[93] |
S0201 | JPIN |
A JPIN uses a encrypted and compressed payload that is disguised as a bitmap within the resource section of the installer.[94] |
S0283 | jRAT |
jRAT’s Java payload is encrypted with AES.[95] Additionally, backdoor files are encrypted using DES as a stream cipher. Later variants of jRAT also incorporated AV evasion methods such as Java bytecode obfuscation via the commercial Allatori obfuscation tool.[96] |
S0265 | Kazuar |
Kazuar is obfuscated using the open source ConfuserEx protector. Kazuar also obfuscates the name of created files/folders/mutexes and encrypts debug messages written to log files using the Rijndael cipher.[97] |
G0004 | Ke3chang | |
S0585 | Kerrdown |
Kerrdown can encrypt, encode, and compress multiple layers of shellcode.[99] |
S0607 | KillDisk |
KillDisk uses VMProtect to make reverse engineering the malware more difficult.[100] |
G0094 | Kimsuky |
Kimsuky has obfuscated binary strings including the use of XOR encryption and Base64 encoding.[101][102] Kimsuky has also modified the first byte of DLL implants targeting victims to prevent recognition of the executable file format.[103] |
S0641 | Kobalos |
Kobalos encrypts all strings using RC4 and bundles all functionality into a single function call.[104] |
S0447 | Lokibot | |
S0167 | Matryoshka |
Matryoshka obfuscates API function names using a substitute cipher combined with Base64 encoding.[106] |
S0449 | Maze |
Maze has decrypted strings and other important information during the encryption process. Maze also calls certain functions dynamically to hinder analysis.[107] |
S0500 | MCMD |
MCMD can Base64 encode output strings prior to sending to C2.[108] |
S0051 | MiniDuke |
MiniDuke can use control flow flattening to obscure code.[73] |
G0129 | Mustang Panda |
Mustang Panda has delivered initial payloads hidden using archives and encoding measures.[109][110][111][112][113][114] |
S0336 | NanoCore |
NanoCore’s plugins were obfuscated with Eazfuscater.NET 3.3.[115] |
S0198 | NETWIRE |
NETWIRE has used a custom obfuscation algorithm to hide strings including Registry keys, APIs, and DLL names.[116] |
S1090 | NightClub |
NightClub can obfuscate strings using the congruential generator |
S0353 | NOKKI | |
S0138 | OLDBAIT |
OLDBAIT obfuscates internal strings and unpacks them at startup.[54] |
S0264 | OopsIE |
OopsIE uses the Confuser protector to obfuscate an embedded .Net Framework assembly used for C2. OopsIE also encodes collected data in hexadecimal format before writing to files on disk and obfuscates strings.[119][120] |
S0229 | Orz |
Some Orz strings are base64 encoded, such as the embedded DLL known as MockDll.[121] |
S0594 | Out1 | |
S0598 | P.A.S. Webshell |
P.A.S. Webshell can use encryption and base64 encoding to hide strings and to enforce access control once deployed.[123] |
S0664 | Pandora |
Pandora has the ability to compress stings with QuickLZ.[124] |
S0517 | Pillowmint |
Pillowmint has been compressed and stored within a registry key. Pillowmint has also obfuscated the AES key used for encryption.[125] |
S0124 | Pisloader |
Pisloader obfuscates files by splitting strings into smaller sub-strings and including "garbage" strings that are never used. The malware also uses return-oriented programming (ROP) technique and single-byte XOR to obfuscate data.[126] |
S0013 | PlugX |
PlugX can use API hashing and modify the names of strings to evade detection.[42][114] |
S0428 | PoetRAT |
PoetRAT has used a custom encryption scheme for communication between scripts.[127] |
S0012 | PoisonIvy |
PoisonIvy hides any strings related to its own indicators of compromise.[128] |
S0518 | PolyglotDuke |
PolyglotDuke can custom encrypt strings.[73] |
S0453 | Pony |
Pony attachments have been delivered via compressed archive files. Pony also obfuscates the memory flow by adding junk instructions when executing to make analysis more difficult.[129] |
S0150 | POSHSPY |
POSHSPY appends a file signature header (randomly selected from six file types) to encrypted data prior to upload or download.[130] |
S0393 | PowerStallion |
PowerStallion uses a XOR cipher to encrypt command output written to its OneDrive C2 server.[131] |
S0196 | PUNCHBUGGY |
PUNCHBUGGY has hashed most its code's functions and encrypted payloads with base64 and XOR.[132] |
S0197 | PUNCHTRACK |
PUNCHTRACK is loaded and executed by a highly obfuscated launcher.[133] |
S0650 | QakBot |
QakBot has hidden code within Excel spreadsheets by turning the font color to white and splitting it across multiple cells.[134] |
S0458 | Ramsay |
Ramsay has base64-encoded its portable executable and hidden itself under a JPG header. Ramsay can also embed information within document footers.[135] |
S0511 | RegDuke |
RegDuke can use control-flow flattening or the commercially available .NET Reactor for obfuscation.[73] |
S0332 | Remcos |
Remcos uses RC4 and base64 to obfuscate data, including Registry entries and file paths.[136] |
G0106 | Rocke |
Rocke has modified UPX headers after packing files to break unpackers.[137] |
S0240 | ROKRAT |
ROKRAT can encrypt data prior to exfiltration by using an RSA public key.[21][138] |
S0148 | RTM |
RTM strings, network data, configuration, and modules are encrypted with a modified RC4 algorithm. RTM has also been delivered to targets as various archive files including ZIP, 7-ZIP, and RAR.[139][140] |
S0446 | Ryuk |
Ryuk can use anti-disassembly and code transformation obfuscation techniques.[53] |
S1018 | Saint Bot | |
S1099 | Samurai |
Samurai can encrypt the names of requested APIs and deliver its final payload as a compressed, encrypted and base64 encoded blob.[141] |
G0034 | Sandworm Team |
Sandworm Team has used Base64 encoding within malware variants.[142] |
S1085 | Sardonic |
Sardonic can use certain ConfuserEx features for obfuscation and can be encoded in a base64 string.[143] |
S0461 | SDBbot |
SDBbot has the ability to XOR the strings for its installer component with a hardcoded 128 byte key.[144] |
S0596 | ShadowPad |
ShadowPad has encrypted its payload, a virtual file system, and various files.[145][66] |
S0140 | Shamoon | |
S0444 | ShimRat |
ShimRat has been delivered as a package that includes compressed DLL and shellcode payloads within a .dat file.[147] |
S0445 | ShimRatReporter |
ShimRatReporter encrypted gathered information with a combination of shifting and XOR using a static key.[147] |
S0063 | SHOTPUT |
SHOTPUT is obscured using XOR encoding and appended to a valid GIF file.[148][149] |
S0623 | Siloscape |
Siloscape itself is obfuscated and uses obfuscated API calls.[150] |
S1104 | SLOWPULSE |
SLOWPULSE can hide malicious code in the padding regions between legitimate functions in the Pulse Secure |
S1035 | Small Sieve |
Small Sieve has the ability to use a custom hex byte swapping encoding scheme combined with an obfuscated Base64 function to protect program strings and Telegram credentials.[152] |
S1086 | Snip3 |
Snip3 has the ability to obfuscate strings using XOR encryption.[153] |
S0627 | SodaMaster |
SodaMaster can use "stackstrings" for obfuscation.[69] |
S0615 | SombRAT |
SombRAT can encrypt strings with XOR-based routines and use a custom AES storage format for plugins, configuration, C2 domains, and harvested data.[154][155][156] |
S0516 | SoreFang |
SoreFang has the ability to encode and RC6 encrypt data sent to C2.[157] |
S0142 | StreamEx |
StreamEx obfuscates some commands by using statically programmed fragments of strings when starting a DLL. It also uses a one-byte xor against 0x91 to encode configuration data.[158] |
S0559 | SUNBURST |
SUNBURST strings were compressed and encoded in Base64.[159] SUNBURST also obfuscated collected system information using a FNV-1a + XOR algorithm.[160] |
S0562 | SUNSPOT |
SUNSPOT encrypted log entries it collected with the stream cipher RC4 using a hard-coded key. It also uses AES128-CBC encrypted blobs for SUNBURST source code and data extracted from the SolarWinds Orion <MsBuild.exe process.[161] |
S1064 | SVCReady | |
S0242 | SynAck |
SynAck payloads are obfuscated prior to compilation to inhibit analysis and/or reverse engineering.[163][164] |
S0467 | TajMahal |
TajMahal has used an encrypted Virtual File System to store plugins.[165] |
S0560 | TEARDROP |
TEARDROP created and read from a file with a fake JPG header, and its payload was encrypted with a simple rotating XOR cipher.[160][166][167] |
S0266 | TrickBot |
TrickBot uses non-descriptive names to hide functionality.[168] |
S0094 | Trojan.Karagany |
Trojan.Karagany can base64 encode and AES-128-CBC encrypt data prior to transmission.[169] |
S0647 | Turian | |
S0476 | Valak |
Valak has the ability to base64 encode and XOR encrypt strings.[170][171][172] |
G0112 | Windshift |
Windshift has used string encoding with floating point calculations.[173] |
S0117 | XTunnel |
A version of XTunnel introduced in July 2015 obfuscated the binary using opaque predicates and other techniques in a likely attempt to obfuscate it and bypass security products.[174] |
ID | Mitigation | Description |
---|---|---|
M1049 | Antivirus/Antimalware |
Anti-virus can be used to automatically detect and quarantine suspicious files. Consider utilizing the Antimalware Scan Interface (AMSI) on Windows 10+ to analyze commands after being processed/interpreted. [175] |
M1047 | Audit |
Consider periodic review of common fileless storage locations (such as the Registry or WMI repository) to potentially identify abnormal and malicious data. |
M1040 | Behavior Prevention on Endpoint |
On Windows 10+, enable Attack Surface Reduction (ASR) rules to prevent execution of potentially obfuscated payloads. [176] |
M1017 | User Training |
Ensure that a finite amount of ingress points to a software deployment system exist with restricted access for those required to allow and enable newly deployed software. |
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0017 | Command | Command Execution |
Monitor executed commands and arguments for indicators of obfuscation and potentially suspicious syntax such as uninterpreted escape characters (e.g., Also monitor command-lines for syntax-specific signs of obfuscation, such as variations of arguments associated with encoding. |
DS0022 | File | File Creation |
Detection of file obfuscation is difficult unless artifacts are left behind by the obfuscation process that are uniquely detectable with a signature. If detection of the obfuscation itself is not possible, it may be possible to detect the malicious activity that caused the obfuscated file (for example, the method that was used to write, read, or modify the file on the file system). |
File Metadata |
Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc. File-based signatures may be capable of detecting code obfuscation depending on the methods used.[177][178][179] |
||
DS0011 | Module | Module Load |
Monitoring module loads, especially those not explicitly included in import tables, may highlight obfuscated code functionality. Dynamic malware analysis may also expose signs of code obfuscation.[178] |
DS0009 | Process | OS API Execution |
Monitor and analyze calls to functions such as |
Process Creation |
Monitor for newly executed processes that may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. |
||
DS0012 | Script | Script Execution |
Monitor executed scripts for indicators of obfuscation and potentially suspicious command syntax, such as uninterpreted escape characters (e.g., Also monitor commands within scripts for syntax-specific signs of obfuscation, such as encoded or otherwise unreadable blobs of characters. |
DS0024 | Windows Registry | Windows Registry Key Creation |
Monitor for the creation of Registry values that may highlight storage of malicious data such as commands or payloads. |
DS0005 | WMI | WMI Creation |
Monitor for the creation of WMI Objects and values that may highlight storage of malicious data such as commands or payloads. |