Obfuscated Files or Information: Compile After Delivery

Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.[1]

Source code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a Phishing. Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.[2]

ID: T1027.004
Sub-technique of:  T1027
Tactic: Defense Evasion
Platforms: Linux, Windows, macOS
System Requirements: Compiler software (either native to the system or delivered by the adversary)
Permissions Required: User
Defense Bypassed: Anti-virus, Binary Analysis, Host intrusion prevention systems, Signature-based detection, Static File Analysis
Contributors: Praetorian; Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank
Version: 1.0
Created: 16 March 2020
Last Modified: 29 March 2020

Procedure Examples

ID Name Description
S0348 Cardinal RAT

Cardinal RAT and its watchdog component are compiled and executed after being delivered to victims as embedded, uncompiled source code.[3]

S0673 DarkWatchman

DarkWatchman has used the csc.exe tool to compile a C# executable.[4]

S0661 FoggyWeb

FoggyWeb can compile and execute source code sent to the compromised AD FS server via a specific HTTP POST.[5]

G0047 Gamaredon Group

Gamaredon Group has compiled the source code for a downloader directly on the infected system using the built-in Microsoft.CSharp.CSharpCodeProvider class.[6]

G0069 MuddyWater

MuddyWater has used the .NET csc.exe tool to compile executables from downloaded C# code.[1]

S0385 njRAT

njRAT has used AutoIt to compile the payload and main script into a single executable after delivery.[7]

G0106 Rocke

Rocke has compiled malware, delivered to victims as .c files, with the GNU Compiler Collection (GCC).[8]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments for actions that could be taken to gather common compilers, such as csc.exe and GCC/MinGW, and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior.

DS0022 File File Creation

Monitor for newly constructed files for payloads

File Metadata

Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc.

DS0009 Process Process Creation

Monitor for newly constructed processes and/or command-lines that look for non-native binary formats and cross-platform compiler and execution frameworks like Mono and determine if they have a legitimate purpose on the system. Typically these should only be used in specific and limited cases, like for software development.

References