Adversaries may encrypt or encode files to obfuscate strings, bytes, and other specific patterns to impede detection. Encrypting and/or encoding file content aims to conceal malicious artifacts within a file used in an intrusion. Many other techniques, such as Software Packing, Steganography, and Embedded Payloads, share this same broad objective. Encrypting and/or encoding files could lead to a lapse in detection of static signatures, only for this malicious content to be revealed (i.e., Deobfuscate/Decode Files or Information) at the time of execution/use.
This type of file obfuscation can be applied to many file artifacts present on victim hosts, such as malware log/configuration and payload files.[1] Files can be encrypted with a hardcoded or user-supplied key, as well as otherwise obfuscated using standard encoding schemes such as Base64.
The entire content of a file may be obfuscated, or just specific functions or values (such as C2 addresses). Encryption and encoding may also be applied in redundant layers for additional protection.
For example, adversaries may abuse password-protected Word documents or self-extracting (SFX) archives as a method of encrypting/encoding a file such as a Phishing payload. These files typically function by attaching the intended archived content to a decompressor stub that is executed when the file is invoked (e.g., User Execution).[2]
Adversaries may also abuse file-specific as well as custom encoding schemes. For example, Byte Order Mark (BOM) headers in text files may be abused to manipulate and obfuscate file content until Command and Scripting Interpreter execution.
ID | Name | Description |
---|---|---|
G0026 | APT18 | |
G0073 | APT19 | |
G0007 | APT28 |
APT28 encrypted a .dll payload using RTL and a custom encryption algorithm. APT28 has also obfuscated payloads with base64, XOR, and RC4.[5][6][7][8][9] |
G0050 | APT32 |
APT32 has performed code obfuscation, including encoding payloads using Base64 and using a framework called "Dont-Kill-My-Cat (DKMC). APT32 also encrypts the library used for network exfiltration with AES-256 in CBC mode in their macOS backdoor.[10][11][12][13][14][15][16] |
G0064 | APT33 | |
G0087 | APT39 | |
C0040 | APT41 DUST |
APT41 DUST used encrypted payloads decrypted and executed in memory.[19] |
S0456 | Aria-body |
Aria-body has used an encrypted configuration file for its loader.[20] |
S0373 | Astaroth |
Astaroth has used an XOR-based algorithm to encrypt payloads twice with different keys.[21] |
S0438 | Attor |
Strings in Attor's components are encrypted with a XOR cipher, using a hardcoded key and the configuration data, log files and plugins are encrypted using a hybrid encryption scheme of Blowfish-OFB combined with RSA.[22] |
S0347 | AuditCred | |
S0473 | Avenger |
Avenger has the ability to XOR encrypt files to be sent to C2.[24] |
S0534 | Bazar |
Bazar has used XOR, RSA2, and RC4 encrypted files.[25][26][27] |
S0574 | BendyBear | |
S0268 | Bisonal |
Bisonal's DLL file and non-malicious decoy file are encrypted with RC4 and some function name strings are obfuscated.[29][30] |
S0570 | BitPaymer |
BitPaymer has used RC4-encrypted strings and string hashes to avoid identifiable strings within the binary.[31] |
G1002 | BITTER | |
S1180 | BlackByte Ransomware |
BlackByte Ransomware is distributed as an encrypted payload.[33] |
S0520 | BLINDINGCAN |
BLINDINGCAN has obfuscated code using Base64 encoding.[34] |
G0108 | Blue Mockingbird |
Blue Mockingbird has obfuscated the wallet address in the payload binary.[35] |
S0657 | BLUELIGHT | |
S0415 | BOOSTWRITE |
BOOSTWRITE has encoded its payloads using a ChaCha stream cipher with a 256-bit key and 64-bit Initialization vector (IV) to evade detection.[37] |
S0484 | Carberp |
Carberp has used XOR-based encryption to mask C2 server locations within the trojan.[38] |
S0348 | Cardinal RAT |
Cardinal RAT encodes many of its artifacts and is encrypted (AES-128) when downloaded.[39] |
S0462 | CARROTBAT |
CARROTBAT has the ability to download a base64 encoded payload.[40] |
S1041 | Chinoxy | |
S0667 | Chrommme |
Chrommme can encrypt sections of its code to evade detection.[42] |
S0046 | CozyCar |
The payload of CozyCar is encrypted with simple XOR with a rotating key. The CozyCar configuration file has been encrypted with RC4 keys.[43] |
S1153 | Cuckoo Stealer |
Cuckoo Stealer strings are XOR-encrypted.[44][45] |
C0029 | Cutting Edge |
During Cutting Edge, threat actors used a Base64-encoded Python script to write a patched version of the Ivanti Connect Secure |
S0497 | Dacls | |
S1014 | DanBot | |
G0070 | Dark Caracal |
Dark Caracal has obfuscated strings in Bandook by base64 encoding, and then encrypting them.[49] |
S1111 | DarkGate |
DarkGate drops an encrypted PE file, pe.bin, and decrypts it during installation.[50] DarkGate also uses custom base64 encoding schemas in later variations to obfuscate payloads.[51] |
G0012 | Darkhotel |
Darkhotel has obfuscated code using RC4, XOR, and RSA.[52][53] |
S1033 | DCSrv | |
S1052 | DEADEYE | |
S1134 | DEADWOOD |
DEADWOOD contains an embedded, AES-encrypted resource named |
S0213 | DOGCALL | |
S0695 | Donut |
Donut can generate encrypted, compressed/encoded, or otherwise obfuscated code modules.[58] |
S1158 | DUSTPAN | |
S1159 | DUSTTRAP |
DUSTTRAP begins with an initial launcher that decrypts an AES-128-CFB encrypted file on disk and executes it in memory.[19] |
G0066 | Elderwood |
Elderwood has encrypted documents and malicious executables.[60] |
S0081 | Elise |
Elise encrypts several of its files, including configuration files.[61] |
S0082 | Emissary |
Variants of Emissary encrypt payloads using various XOR ciphers, as well as a custom algorithm that uses the "srand" and "rand" functions.[62][63] |
S0367 | Emotet | |
S0634 | EnvyScout | |
S0401 | Exaramel for Linux |
Exaramel for Linux uses RC4 for encrypting the configuration.[66][67] |
S0267 | FELIXROOT |
FELIXROOT encrypts strings in the backdoor using a custom XOR algorithm.[68][69] |
S0618 | FIVEHANDS |
The FIVEHANDS payload is encrypted with AES-128.[70][71][72] |
S0383 | FlawedGrace |
FlawedGrace encrypts its C2 configuration files with AES in CBC mode.[73] |
S0661 | FoggyWeb | |
G0117 | Fox Kitten |
Fox Kitten has base64 encoded payloads to avoid detection.[75] |
S1044 | FunnyDream |
FunnyDream can Base64 encode its C2 address stored in a template binary with the |
S0410 | Fysbis | |
S0168 | Gazer |
Gazer logs its actions into files that are encrypted with 3DES. It also uses RSA to encrypt resources.[77] |
S0493 | GoldenSpy |
GoldenSpy's uninstaller has base64-encoded its variables. [78] |
S0588 | GoldMax |
GoldMax has written AES-encrypted and Base64-encoded configuration files to disk.[79][80] |
S0531 | Grandoreiro |
The Grandoreiro payload has been delivered encrypted with a custom XOR-based algorithm and also as a base64-encoded ZIP file.[21][81][81] |
S0237 | GravityRAT |
GravityRAT supports file encryption (AES with the key "lolomycin2017").[82] |
S0342 | GreyEnergy |
GreyEnergy encrypts its configuration files with AES-256 and also encrypts its strings.[69] |
G0043 | Group5 |
Group5 disguised its malicious binaries with several layers of obfuscation, including encrypting the files.[83] |
S0391 | HAWKBALL |
HAWKBALL has encrypted the payload with an XOR-based algorithm.[84] |
S0170 | Helminth | |
S0698 | HermeticWizard |
HermeticWizard has the ability to encrypt PE files with a reverse XOR loop.[86] |
S1027 | Heyoka Backdoor |
Heyoka Backdoor can encrypt its payload.[87] |
S0087 | Hi-Zor |
Hi-Zor uses various XOR techniques to obfuscate its components.[88] |
S0394 | HiddenWasp |
HiddenWasp encrypts its configuration and payload.[89] |
G0126 | Higaisa | |
S0601 | Hildegard | |
S0232 | HOMEFRY | |
S0431 | HotCroissant |
HotCroissant has encrypted strings with single-byte XOR and base64 encoded RC4.[94] |
S0398 | HyperBro |
HyperBro can be delivered encrypted to a compromised host.[95] |
S0483 | IcedID |
IcedID has utilzed encrypted binaries and base64 encoded strings.[96] |
G0100 | Inception |
Inception has encrypted malware payloads dropped on victim machines with AES and RC4 encryption.[97] |
S1132 | IPsec Helper |
IPsec Helper contains an embedded XML configuration file with an encrypted list of command and control servers. These are written to an external configuration file during execution.[56] |
S0581 | IronNetInjector |
IronNetInjector can obfuscate variable names, encrypt strings, as well as base64 encode and Rijndael encrypt payloads.[98] |
S0044 | JHUHUGIT |
Many strings in JHUHUGIT are obfuscated with a XOR algorithm.[99][100][8] |
S1190 | Kapeka |
Kapeka utilizes AES-256 (CBC mode), XOR, and RSA-2048 encryption schemas for various configuration and other objects.[101] |
S0585 | Kerrdown |
Kerrdown can encrypt, encode, and compress multiple layers of shellcode.[102] |
S0487 | Kessel |
Kessel's configuration is hardcoded and RC4 encrypted within the binary.[103] |
S1020 | Kevin | |
S0387 | KeyBoy |
In one version of KeyBoy, string obfuscation routines were used to hide many of the critical values referenced in the malware.[105] |
S1051 | KEYPLUG |
KEYPLUG can use a hardcoded one-byte XOR encoded configuration file.[55] |
S0526 | KGH_SPY | |
S0356 | KONNI |
KONNI is heavily obfuscated and includes encrypted configuration files.[107] |
S0236 | Kwampirs |
Kwampirs downloads additional files that are base64-encoded and encrypted with another cipher.[108] |
S1160 | Latrodectus |
Latrodectus has used a pseudo random number generator (PRNG) algorithm and a rolling XOR key to obfuscate strings.[109][110][111] |
G0032 | Lazarus Group |
Lazarus Group has used multiple types of encryption and encoding for their payloads, including AES, Caracachs, RC4, XOR, Base64, and other tricks such as creating aliases in code for Native API function names.[112][113][114][115][47][116][117] |
G0065 | Leviathan | |
S0395 | LightNeuron |
LightNeuron encrypts its configuration files with AES-256.[119] |
S1185 | LightSpy |
LightSpy encrypts the C2 configuration file using AES with a static key, while the module |
S1202 | LockBit 3.0 |
The LockBit 3.0 payload includes an encrypted main component.[121][122] |
S0451 | LoudMiner | |
S1213 | Lumma Stealer |
Lumma Stealer has used AES-encrypted payloads contained within PowerShell scripts.[124] |
S1142 | LunarMail |
LunarMail has used RC4 and AES to encrypt strings and its exfiltration configuration respectively.[125] |
S1141 | LunarWeb |
The LunarWeb install files have been encrypted with AES-256.[125] |
S1060 | Mafalda |
Mafalda has been obfuscated and contains encrypted functions.[126] |
G0059 | Magic Hound |
Magic Hound malware has used base64-encoded files and has also encrypted embedded strings with AES.[127][128] |
S1182 | MagicRAT |
MagicRAT stores base64 encoded command and contorl URLs in a configuraiton file, with each URL prefixed with the value |
G1026 | Malteiro |
Malteiro has used scripts encoded in Base64 certificates to distribute malware to victims.[130] |
S1169 | Mango | |
G0045 | menuPass |
menuPass has encoded strings in its malware with base64 as well as with a simple, single-byte XOR obfuscation using key 0x40.[132][133][134] |
G1013 | Metador | |
S1059 | metaMain | |
S0455 | Metamorfo | |
S0339 | Micropsia |
Micropsia obfuscates the configuration with a custom Base64 and XOR.[138][139] |
S1015 | Milan |
Milan can encode files containing information about the targeted system.[140][104] |
S1122 | Mispadu |
Mispadu uses a custom algorithm to obfuscate its internal strings and uses hardcoded keys.[141] Mispadu also uses encoded configuration files and has encoded payloads using Base64.[141][142][130] |
G0103 | Mofang |
Mofang has encrypted payloads before they are downloaded to victims.[143] |
G1036 | Moonstone Sleet |
Moonstone Sleet has used encrypted payloads within files for follow-on execution and defense evasion.[144] |
S0284 | More_eggs |
More_eggs's payload has been encrypted with a key that has the hostname and processor family information appended to the end.[145] |
G1009 | Moses Staff |
Moses Staff has used obfuscated web shells in their operations.[54] |
S0256 | Mosquito |
Mosquito’s installer is obfuscated with a custom crypter to obfuscate the installer.[146] |
S0228 | NanHaiShu | |
C0002 | Night Dragon |
During Night Dragon, threat actors used a DLL that included an XOR-encoded section.[148] |
S1100 | Ninja |
The Ninja payload is XOR encrypted and compressed.[149] Ninja has also XORed its configuration data with a constant value of |
S0385 | njRAT | |
G0049 | OilRig |
OilRig has encrypted and encoded data in its malware, including by using base64.[152][153][154][155][156] |
C0022 | Operation Dream Job |
During Operation Dream Job, Lazarus Group encrypted malware such as DRATzarus with XOR and DLL files with base64.[157][158][159][160] |
C0016 | Operation Dust Storm |
During Operation Dust Storm, the threat actors encoded some payloads with a single-byte XOR, both skipping the key itself and zeroing in an attempt to avoid exposing the key; other payloads were Base64-encoded.[161] |
C0006 | Operation Honeybee |
During Operation Honeybee, the threat actors used Base64 to encode files with a custom key.[162] |
C0005 | Operation Spalax |
For Operation Spalax, the threat actors used XOR-encrypted payloads.[163] |
S0352 | OSX_OCEANLOTUS.D |
OSX_OCEANLOTUS.D encrypts its strings in RSA256 and encodes them in a custom base64 scheme and XOR.[164] |
C0042 | Outer Space |
During Outer Space, OilRig deployed VBS droppers with obfuscated strings.[131] |
S1050 | PcShare |
PcShare has been encrypted with XOR using different 32-long Base16 strings.[41] |
S0587 | Penquin |
Penquin has encrypted strings in the binary for obfuscation.[165] |
S0501 | PipeMon | |
S0113 | Prikormka |
Some resources in Prikormka are encrypted with a simple XOR operation or encoded with Base64.[167] |
S0613 | PS1 |
PS1 is distributed as a set of encrypted files and scripts.[168] |
G0024 | Putter Panda |
Droppers used by Putter Panda use RC4 or a 16-byte XOR key consisting of the bytes 0xA0 – 0xAF to obfuscate payloads.[169] |
S1032 | PyDCrypt |
PyDCrypt has been compiled and encrypted with PyInstaller, specifically using the --key flag during the build phase.[54] |
S1148 | Raccoon Stealer |
Raccoon Stealer uses RC4 encryption for strings and command and control addresses to evade static detection.[170][171][172] |
S0565 | Raindrop |
Raindrop encrypted its payload using a simple XOR algorithm with a single-byte key.[173][174] |
S0629 | RainyDay | |
S1212 | RansomHub | |
S1113 | RAPIDPULSE |
RAPIDPULSE has the ability to RC4 encrypt and base64 encode decrypted files on compromised servers prior to writing them to stdout.[177] |
S0172 | Reaver | |
C0047 | RedDelta Modified PlugX Infection Chain Operations |
Mustang Panda stored installation payloads as encrypted files in hidden folders during RedDelta Modified PlugX Infection Chain Operations.[179] |
S0153 | RedLeaves |
A RedLeaves configuration file is encrypted with a simple XOR key, 0x53.[180] |
S0375 | Remexi | |
S0125 | Remsec |
Some data in Remsec is encrypted using RC5 in CBC mode, AES-CBC with a hardcoded key, RC4, or Salsa20. Some data is also base64-encoded.[182][183] |
S0496 | REvil |
REvil has used encrypted strings and configuration files.[184][185][186][187][188][189][190] |
S0433 | Rifdoor |
Rifdoor has encrypted strings with a single byte XOR algorithm.[94] |
S0448 | Rising Sun |
Configuration data used by Rising Sun has been encrypted using an RC4 stream algorithm.[191] |
S1150 | ROADSWEEP |
The ROADSWEEP binary contains RC4 encrypted embedded scripts.[192][193][194] |
S1210 | Sagerunex |
Sagerunex can be passed a reference to an XOR-encrypted configuration file at runtime.[195] |
G1031 | Saint Bear |
Saint Bear initial payloads included encoded follow-on payloads located in the resources file of the first-stage loader.[196] |
S0074 | Sakula |
Sakula uses single-byte XOR obfuscation to obfuscate many of its files.[197] |
S0370 | SamSam |
SamSam has been seen using AES or DES to encrypt payloads and payload components.[198][199] |
S0345 | Seasalt | |
C0045 | ShadowRay |
During ShadowRay, threat actors used Base64-encrypted Python code to evade detection.[201] |
S1019 | Shark |
Shark can use encrypted and encoded files for C2 configuration.[140][202] |
G0121 | Sidewinder |
Sidewinder has used base64 encoding and ECDH-P256 encryption for payloads.[203][204][205] |
S0468 | Skidmap | |
S0633 | Sliver | |
S0226 | Smoke Loader |
Smoke Loader uses a simple one-byte XOR method to obfuscate values in the malware.[209][210] |
S1124 | SocGholish |
SocGholish has single or double Base-64 encoded references to its second-stage server URLs.[211] |
S0374 | SpeakUp | |
S1030 | Squirrelwaffle |
Squirrelwaffle has been obfuscated with a XOR-based algorithm.[213][214] |
S1037 | STARWHALE |
STARWHALE has been obfuscated with hex-encoded strings.[215] |
S1200 | StealBit |
StealBit stores obfuscated DLL file names in its executable.[216] |
S0380 | StoneDrill |
StoneDrill has obfuscated its module with an alphabet-based table or XOR encryption.[217] |
G1046 | Storm-1811 |
Storm-1811 XOR encodes a Cobalt Strike installation payload in a DLL file that is decoded with a hardcoded key when called by a legitimate 7zip installation process.[218] |
S1183 | StrelaStealer |
StrelaStealer uses XOR-encoded strings to obfuscate items.[219] |
S0491 | StrongPity |
StrongPity has used encrypted strings in its dropper component.[220][221] |
S0603 | Stuxnet |
Stuxnet uses encrypted configuration blocks and writes encrypted files to disk.[222] |
S0578 | SUPERNOVA | |
S0663 | SysUpdate |
SysUpdate can encrypt and encode its configuration file.[224] |
G1018 | TA2541 |
TA2541 has used compressed and char-encoded scripts in operations.[225] |
G0092 | TA505 | |
S0011 | Taidoor |
Taidoor can use encrypted string blocks for obfuscation.[227] |
G0139 | TeamTNT |
TeamTNT has encrypted its binaries via AES and encoded files using Base64.[228][229] |
G0027 | Threat Group-3390 |
A Threat Group-3390 tool can encrypt payloads using XOR. Threat Group-3390 malware is also obfuscated using Metasploit’s shikata_ga_nai encoder.[230][231][232] |
S0665 | ThreatNeedle |
ThreatNeedle has been compressed and obfuscated using RC4, AES, or XOR.[233] |
S0131 | TINYTYPHON |
TINYTYPHON has used XOR with 0x90 to obfuscate its configuration file.[234] |
S0678 | Torisma | |
G0134 | Transparent Tribe |
Transparent Tribe has dropped encoded executables on compromised hosts.[235] |
S0266 | TrickBot |
TrickBot uses an AES CBC (256 bits) encryption algorithm for its loader and configuration files.[236] |
G0081 | Tropic Trooper |
Tropic Trooper has encrypted configuration files.[237][238] |
S0263 | TYPEFRAME |
APIs and strings in some TYPEFRAME variants are RC4 encrypted. Another variant is encoded with XOR.[239] |
S1164 | UPSTYLE |
UPSTYLE stores primary content as base64-encoded objects.[240][241] |
S0022 | Uroburos |
Uroburos can use AES and CAST-128 encryption to obfuscate resources.[242] |
S0386 | Ursnif |
Ursnif has used an XOR-based algorithm to encrypt Tor clients dropped to disk.[243] Ursnif droppers have also been delivered as password-protected zip files that execute base64 encoded PowerShell commands.[244] |
S0136 | USBStealer |
Most strings in USBStealer are encrypted using 3DES and XOR and reversed.[245] |
S0257 | VERMIN |
VERMIN is obfuscated using the obfuscation tool called ConfuserEx.[246] |
S1154 | VersaMem |
VersaMem encrypted captured credentials with AES then Base64 encoded them before writing to local storage.[247] |
S0180 | Volgmer |
A Volgmer variant is encoded using a simple XOR cipher.[248] |
S0612 | WastedLocker |
The WastedLocker payload includes encrypted strings stored within the .bss section of the binary file.[249] |
S0579 | Waterbear |
Waterbear has used RC4 encrypted shellcode and encrypted functions.[250] |
S0689 | WhisperGate |
WhisperGate can Base64 encode strings, store downloaded files in reverse byte order, and use the Eazfuscator tool to obfuscate its third stage.[251][252][253] |
G0107 | Whitefly | |
S0466 | WindTail |
WindTail can be delivered as a compressed, encrypted, and encoded payload.[255] |
S0430 | Winnti for Linux |
Winnti for Linux can encode its configuration file with single-byte XOR encoding.[256] |
S0141 | Winnti for Windows |
Winnti for Windows has the ability to encrypt and compress its payload.[257] |
S1065 | Woody RAT | |
S0658 | XCSSET |
Older XCSSET variants use |
S1207 | XLoader |
XLoader features encrypted functions using the RC4 algorithm and bytecode operations.[260][261] |
S0388 | YAHOYAH |
YAHOYAH encrypts its configuration file using a simple algorithm.[262] |
S0230 | ZeroT | |
S0330 | Zeus Panda |
Zeus Panda encrypts strings with XOR. Zeus Panda also encrypts all configuration and settings in AES and RC4.[264][265] |
S0672 | Zox | |
S1013 | ZxxZ |
ZxxZ has been encoded to avoid detection from static analysis tools.[267] |
ID | Mitigation | Description |
---|---|---|
M1049 | Antivirus/Antimalware |
Anti-virus can be used to automatically detect and quarantine suspicious files, including those with high entropy measurements or with otherwise potentially malicious signs of obfuscation. |
M1040 | Behavior Prevention on Endpoint |
On Windows 10+, enable Attack Surface Reduction (ASR) rules to block execution of potentially obfuscated scripts.[268] Security tools should be configured to analyze the encoding properties of files and detect anomalies that deviate from standard encoding practices. |
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0022 | File | File Creation |
Monitor for files with large entropy which don’t match what is normal/expected given the file type and location. |
File Metadata |
Monitor for and analyze files which contain content with large entropy, as this may indicate potentially malicious encrypted data. |