1. Home
  2. Techniques
  3. Enterprise
  4. Obfuscated Files or Information
  5. Embedded Payloads

Obfuscated Files or Information: Embedded Payloads

ID Name
T1027.001 Binary Padding
T1027.002 Software Packing
T1027.003 Steganography
T1027.004 Compile After Delivery
T1027.005 Indicator Removal from Tools
T1027.006 HTML Smuggling
T1027.007 Dynamic API Resolution
T1027.008 Stripped Payloads
T1027.009 Embedded Payloads
T1027.010 Command Obfuscation
T1027.011 Fileless Storage
T1027.012 LNK Icon Smuggling
T1027.013 Encrypted/Encoded File
T1027.014 Polymorphic Code

Adversaries may embed payloads within other files to conceal malicious content from defenses. Otherwise seemingly benign files (such as scripts and executables) may be abused to carry and obfuscate malicious payloads and content. In some cases, embedded payloads may also enable adversaries to Subvert Trust Controls by not impacting execution controls such as digital signatures and notarization tickets.[1]

Adversaries may embed payloads in various file formats to hide payloads.[2] This is similar to Steganography, though does not involve weaving malicious content into specific bytes and patterns related to legitimate digital media formats.[3]

For example, adversaries have been observed embedding payloads within or as an overlay of an otherwise benign binary.[4] Adversaries have also been observed nesting payloads (such as executables and run-only scripts) inside a file of the same format.[5]

Embedded content may also be used as Process Injection payloads used to infect benign system processes.[6] These embedded then injected payloads may be used as part of the modules of malware designed to provide specific features such as encrypting C2 communications in support of an orchestrator module. For example, an embedded module may be injected into default browsers, allowing adversaries to then communicate via the network.[7]

ID: T1027.009
Sub-technique of:  T1027
Tactic: Defense Evasion
Platforms: Linux, Windows, macOS
System Requirements: User
Contributors: Nick Cairns, @grotezinfosec
Version: 1.1
Created: 30 September 2022
Last Modified: 29 September 2023
Version Permalink

Procedure Examples

ID Name Description
S1081 BADHATCH

BADHATCH has an embedded second stage DLL payload within the first stage of the malware.[8]
C0021 C0021

For C0021, the threat actors embedded a base64-encoded payload within a LNK file.[9]
S1149 CHIMNEYSWEEP

CHIMNEYSWEEP can extract RC4 encrypted embedded payloads for privilege escalation.[10]
S0126 ComRAT

ComRAT has embedded a XOR encrypted communications module inside the orchestrator module.[11][12]

S1052 DEADEYE

The DEADEYE.EMBED variant of DEADEYE has the ability to embed payloads inside of a compiled binary.[13]
S1134 DEADWOOD

DEADWOOD contains an embedded, AES-encrypted payload labeled METADATA that provides configuration information for follow-on execution.[14]
S0567 Dtrack

Dtrack has used a dropper that embeds an encrypted payload as extra data.[15]
S1158 DUSTPAN

DUSTPAN decrypts and executes an embedded payload.[16][17]
S1159 DUSTTRAP

DUSTTRAP contains additional embedded DLLs and configuration files that are loaded into memory during execution.[16]
S0367 Emotet

Emotet has dropped an embedded executable at %Temp%\setup.exe.[18] Additionally, Emotet may embed entire code into other files.[19]
S0483 IcedID

IcedID has embedded malicious functionality in a legitimate DLL file.[20]
S0231 Invoke-PSImage

Invoke-PSImage can be used to embed payload data within a new image file.[3]
S1048 macOS.OSAMiner

macOS.OSAMiner has embedded Stripped Payloads within another run-only Stripped Payloads.[5]
S1137 Moneybird

Moneybird contains a configuration blob embedded in the malware itself.[21]
G1036 Moonstone Sleet

Moonstone Sleet embedded payloads in trojanized software for follow-on execution.[22]
S1135 MultiLayer Wiper

MultiLayer Wiper contains two binaries in its resources section, MultiList and MultiWip. MultiLayer Wiper drops and executes each of these items when run, then deletes them after execution.[23]
S0457 Netwalker

Netwalker's DLL has been embedded within the PowerShell script in hex format.[24]
S1145 Pikabot

Pikabot further decrypts information embedded via steganography using AES-CBC with the same 32 bit key as initial XOR operations combined with the first 16 bytes of the encrypted data as an initialization vector.[25] Other Pikabot variants include encrypted, chunked sections of the stage 2 payload in the initial loader .text section before decrypting and assembling these during execution.[26]
S0649 SMOKEDHAM

The SMOKEDHAM source code is embedded in the dropper as an encrypted string.[27]
G1037 TA577

TA577 has used LNK files to execute embedded DLLs.[28]
S0022 Uroburos

The Uroburos Queue file contains embedded executable files along with key material, communication channels, and modes of operation.[29]

Mitigations

ID Mitigation Description
M1049 Antivirus/Antimalware

Anti-virus can be used to automatically detect and quarantine suspicious files.
M1040 Behavior Prevention on Endpoint

On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent execution of potentially obfuscated scripts.[30]

Detection

ID Data Source Data Component Detects
DS0022 File File Creation

Monitor for newly constructed files containing large amounts of data. Abnormal file sizes may be an indicator of embedded content.
File Metadata

Monitor contextual data about a file that may highlight embedded payloads, which may include information such as name, the content (ex: signature, headers, or data/media), file size, etc.; correlate with other suspicious behavior to reduce false positives.

References

  1. Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts. Retrieved September 30, 2022.
  2. Microsoft. (2021, April 6). 2.5 ExtraData. Retrieved September 30, 2022.
  3. Barrett Adams . (n.d.). Invoke-PSImage . Retrieved September 30, 2022.
  4. KONSTANTIN ZYKOV. (2019, September 23). Hello! My name is Dtrack. Retrieved September 30, 2022.
  5. Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts. Retrieved September 29, 2022.
  6. Karen Victor. (2020, May 18). Reflective Loading Runs Netwalker Fileless Ransomware. Retrieved September 30, 2022.
  7. CISA. (2020, October 29). Malware Analysis Report (AR20-303A) MAR-10310246-2.v1 – PowerShell Script: ComRAT. Retrieved September 30, 2022.
  8. Savelesky, K., et al. (2019, July 23). ABADBABE 8BADFOOD: Discovering BADHATCH and a Detailed Look at FIN8's Tooling. Retrieved September 8, 2021.
  9. Microsoft Defender Research Team. (2018, December 3). Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers. Retrieved April 15, 2019.
  10. Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024.
  11. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
  12. CISA. (2020, October 29). Malware Analysis Report (AR20-303A). Retrieved December 9, 2020.
  13. Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022.
  14. Amitai Ben & Shushan Ehrlich. (2021, May). From Wiper to Ransomware: The Evolution of Agrius. Retrieved May 21, 2024.
  15. Konstantin Zykov. (2019, September 23). Hello! My name is Dtrack. Retrieved January 20, 2021.
  1. Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024.
  2. Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman & John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved September 16, 2024.
  3. Binary Defense. (n.d.). Emotet Evolves With new Wi-Fi Spreader. Retrieved September 8, 2023.
  4. Office of Information Security, Health Sector Cybersecurity Coordination Center. (2023, November 16). Emotet Malware: The Enduring and Persistent Threat to the Health Sector. Retrieved June 19, 2024.
  5. Kenefick , I. (2022, December 23). IcedID Botnet Distributors Abuse Google PPC to Distribute Malware. Retrieved July 24, 2024.
  6. Marc Salinas Fernandez & Jiri Vinopal. (2023, May 23). AGRIUS DEPLOYS MONEYBIRD IN TARGETED ATTACKS AGAINST ISRAELI ORGANIZATIONS. Retrieved May 21, 2024.
  7. Microsoft Threat Intelligence. (2024, May 28). Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks. Retrieved August 26, 2024.
  8. Or Chechik, Tom Fakterman, Daniel Frank & Assaf Dahan. (2023, November 6). Agonizing Serpens (Aka Agrius) Targeting the Israeli Higher Education and Tech Sectors. Retrieved May 22, 2024.
  9. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020.
  10. Brett Stone-Gross & Nikolaos Pantazopoulos. (2023, May 24). Technical Analysis of Pikabot. Retrieved July 12, 2024.
  11. Daniel Stepanic & Salim Bitam. (2024, February 23). PIKABOT, I choose you!. Retrieved July 12, 2024.
  12. FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise. Retrieved September 22, 2021.
  13. Proofpoint Threat Research and Team Cymru S2 Threat Research. (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May 31, 2024.
  14. FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023.
  15. Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021.