Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.[1]
Source code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a Phishing. Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.[2]
ID | Name | Description |
---|---|---|
S0348 | Cardinal RAT |
Cardinal RAT and its watchdog component are compiled and executed after being delivered to victims as embedded, uncompiled source code.[3] |
S0673 | DarkWatchman |
DarkWatchman has used the |
S0661 | FoggyWeb |
FoggyWeb can compile and execute source code sent to the compromised AD FS server via a specific HTTP POST.[5] |
G0047 | Gamaredon Group |
Gamaredon Group has compiled the source code for a downloader directly on the infected system using the built-in |
G0069 | MuddyWater |
MuddyWater has used the .NET csc.exe tool to compile executables from downloaded C# code.[1] |
S0385 | njRAT |
njRAT has used AutoIt to compile the payload and main script into a single executable after delivery.[7] |
G0106 | Rocke |
Rocke has compiled malware, delivered to victims as .c files, with the GNU Compiler Collection (GCC).[8] |
S1099 | Samurai |
Samurai can compile and execute downloaded modules at runtime.[9] |
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0017 | Command | Command Execution |
Monitor executed commands and arguments for actions that could be taken to gather common compilers, such as csc.exe and GCC/MinGW, and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior. |
DS0022 | File | File Creation |
Monitor for newly constructed files for payloads |
File Metadata |
Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc. |
||
DS0009 | Process | Process Creation |
Monitor for newly constructed processes and/or command-lines that look for non-native binary formats and cross-platform compiler and execution frameworks like Mono and determine if they have a legitimate purpose on the system. Typically these should only be used in specific and limited cases, like for software development. |