Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems.
A good example of this is when malware is detected with a file signature and quarantined by anti-virus software. An adversary who can determine that the malware was quarantined because of its file signature may modify the file to explicitly avoid that signature, and then re-use the malware.
| ID | Name | Description |
|---|---|---|
| G0022 | APT3 |
APT3 has been known to remove indicators of compromise from tools.[1] |
| S0154 | Cobalt Strike |
Cobalt Strike includes a capability to modify the Beacon payload to eliminate known signatures or unpacking methods.[2][3] |
| S0187 | Daserf |
Analysis of Daserf has shown that it regularly undergoes technical improvements to evade anti-virus detection.[4] |
| G0009 | Deep Panda |
Deep Panda has updated and modified its malware, resulting in different hash values that evade detection.[5] |
| G0093 | GALLIUM |
GALLIUM ensured each payload had a unique hash, including by using different types of packers.[6] |
| S0237 | GravityRAT |
The author of GravityRAT submitted samples to VirusTotal for testing, showing that the author modified the code to try to hide the DDE object in a different part of the document.[7] |
| S0260 | InvisiMole |
InvisiMole has undergone regular technical improvements in an attempt to evade detection.[8] |
| G0049 | OilRig |
OilRig has tested malware samples to determine AV detection and subsequently modified the samples to ensure AV evasion.[9][10] |
| C0014 | Operation Wocao |
During Operation Wocao, threat actors edited variable names within the Impacket suite to avoid automated detection.[11] |
| G0040 | Patchwork |
Patchwork apparently altered NDiskMonitor samples by adding four bytes of random letters in a likely attempt to change the file hashes.[12] |
| S0587 | Penquin | |
| S0194 | PowerSploit |
PowerSploit's |
| S0650 | QakBot |
QakBot can make small changes to itself in order to change its checksum and hash value.[16][17] |
| S0559 | SUNBURST |
SUNBURST source code used generic variable names and pre-obfuscated strings, and was likely sanitized of developer comments before being added to SUNSPOT.[18] |
| C0030 | Triton Safety Instrumented System Attack |
In the Triton Safety Instrumented System Attack, TEMP.Veles modified files based on the open-source project cryptcat in an apparent attempt to decrease anti-virus detection rates.[19] |
| G0010 | Turla |
Based on comparison of Gazer versions, Turla made an effort to obfuscate strings in the malware that could be used as IoCs, including the mutex name and named pipe.[20] |
| G1048 | UNC3886 |
UNC3886 has replaced atomic indicators mentioned in threat intelligence publications, sometimes as quickly as under a week after release.[21] |
| S0579 | Waterbear |
Waterbear can scramble functions not to be executed again with random values.[22] |
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0189 | Detection Strategy for Indicator Removal from Tools - Post-AV Evasion Modification | AN0540 |
Detection of known tools or malware flagged by antivirus, followed by a near-term drop of a similar binary with modified signature and resumed activity (execution, C2, or persistence). |
| AN0541 |
Detection of anti-malware quarantining or flagging a tool, followed by a new binary written to disk with a similar function or name and a resumed process chain. |
||
| AN0542 |
Detection of XProtect or AV quarantining a known tool, followed by modification (file size, hash, string) and subsequent re-execution by the same or related user. |