Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done without affecting the functionality or behavior of a binary, but can increase the size of the binary beyond what some security tools are capable of handling due to file size limitations.
Binary padding effectively changes the checksum of the file and can also be used to avoid hash-based blocklists and static anti-virus signatures.[1] The padding used is commonly generated by a function to create junk data and then appended to the end or applied to sections of malware.[2] Increasing the file size may decrease the effectiveness of certain tools and detection capabilities that are not designed or configured to scan large files. This may also reduce the likelihood of being collected for analysis. Public file scanning services, such as VirusTotal, limits the maximum size of an uploaded file to be analyzed.[3]
ID | Name | Description |
---|---|---|
G1024 | Akira | |
G0016 | APT29 |
APT29 used large size files to avoid detection by security solutions with hardcoded size limits.[5] |
S0268 | Bisonal |
Bisonal has appended random binary data to the end of itself to generate a large binary.[6] |
S1070 | Black Basta |
Black Basta had added data prior to the Portable Executable (PE) header to prevent automatic scanners from identifying the payload.[7] |
G0060 | BRONZE BUTLER |
BRONZE BUTLER downloader code has included "0" characters at the end of the file to inflate the file size in a likely attempt to evade anti-virus detection.[8][9] |
S1149 | CHIMNEYSWEEP |
The CHIMNEYSWEEP installer has been padded with null bytes to inflate its size.[10] |
S0244 | Comnie |
Comnie appends a total of 64MB of garbage data to a file to deter any security products in place that may be scanning files on disk.[11] |
S0614 | CostaBricks |
CostaBricks has added the entire unobfuscated code of the legitimate open source application Blink to its code.[12] |
S0082 | Emissary |
A variant of Emissary appends junk data to the end of its DLL file to create a large file that may exceed the maximum size that anti-virus programs can scan.[13] |
S0367 | Emotet |
Emotet inflates malicious files and malware as an evasion technique.[14] |
S0477 | Goopy |
Goopy has had null characters padded in its malicious DLL payload.[15] |
S0531 | Grandoreiro |
Grandoreiro has added BMP images to the resources section of its Portable Executable (PE) file increasing each binary to at least 300MB in size.[16] |
S0632 | GrimAgent |
GrimAgent has the ability to add bytes to change the file hash.[17] |
G0126 | Higaisa |
Higaisa performed padding with null bytes before calculating its hash.[18] |
S0528 | Javali |
Javali can use large obfuscated libraries to hinder detection and analysis.[19] |
S0236 | Kwampirs |
Before writing to disk, Kwampirs inserts a randomly generated string into the middle of the decrypted payload in an attempt to evade hash-based detections.[20] |
S1160 | Latrodectus |
Latrodectus has been obfuscated with a 129 byte sequence of junk data prepended to the file.[21] |
G0065 | Leviathan |
Leviathan has inserted garbage characters into code, presumably to avoid anti-virus detection.[22] |
S1185 | LightSpy |
LightSpy's configuration file is appended to the end of the binary. For example, the last |
G0002 | Moafee | |
G0040 | Patchwork |
Patchwork apparently altered NDiskMonitor samples by adding four bytes of random letters in a likely attempt to change the file hashes.[25] |
S0650 | QakBot | |
S0433 | Rifdoor |
Rifdoor has added four additional bytes of data upon launching, then saved the changed version as |
S1086 | Snip3 |
Snip3 can obfuscate strings using junk Chinese characters.[29] |
S0586 | TAINTEDSCRIBE |
TAINTEDSCRIBE can execute |
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0022 | File | File Metadata |
Depending on the method used to pad files, a file-based signature may be capable of detecting padding using a scanning or on-access based tool. When executed, the resulting process from padded files may also exhibit other behavior characteristics of being used to conduct an intrusion such as system and network information Discovery or Lateral Movement, which could be used as event indicators that point to the source file. |