Adversaries may encrypt or encode files to obfuscate strings, bytes, and other specific patterns to impede detection. Encrypting and/or encoding file content aims to conceal malicious artifacts within a file used in an intrusion. Many other techniques, such as Software Packing, Steganography, and Embedded Payloads, share this same broad objective. Encrypting and/or encoding files could lead to a lapse in detection of static signatures, only for this malicious content to be revealed (i.e., Deobfuscate/Decode Files or Information) at the time of execution/use.
This type of file obfuscation can be applied to many file artifacts present on victim hosts, such as malware log/configuration and payload files.[1] Files can be encrypted with a hardcoded or user-supplied key, as well as otherwise obfuscated using standard encoding/compression schemes such as Base64.
The entire content of a file may be obfuscated, or just specific functions or values (such as C2 addresses). Encryption and encoding may also be applied in redundant layers for additional protection.
For example, adversaries may abuse password-protected Word documents or self-extracting (SFX) archives as a method of encrypting/encoding a file such as a Phishing payload. These files typically function by attaching the intended archived content to a decompressor stub that is executed when the file is invoked (e.g., User Execution).[2]
Adversaries may also abuse file-specific as well as custom encoding schemes. For example, Byte Order Mark (BOM) headers in text files may be abused to manipulate and obfuscate file content until Command and Scripting Interpreter execution.
ID | Name | Description |
---|---|---|
G0026 | APT18 | |
G0073 | APT19 | |
G0007 | APT28 |
APT28 encrypted a .dll payload using RTL and a custom encryption algorithm. APT28 has also obfuscated payloads with base64, XOR, and RC4.[5][6][7][8][9] |
G0050 | APT32 |
APT32 has performed code obfuscation, including encoding payloads using Base64 and using a framework called "Dont-Kill-My-Cat (DKMC). APT32 also encrypts the library used for network exfiltration with AES-256 in CBC mode in their macOS backdoor.[10][11][12][13][14][15][16] |
G0064 | APT33 | |
G0087 | APT39 | |
S0456 | Aria-body |
Aria-body has used an encrypted configuration file for its loader.[19] |
S0373 | Astaroth |
Astaroth has used an XOR-based algorithm to encrypt payloads twice with different keys.[20] |
S0438 | Attor |
Strings in Attor's components are encrypted with a XOR cipher, using a hardcoded key and the configuration data, log files and plugins are encrypted using a hybrid encryption scheme of Blowfish-OFB combined with RSA.[21] |
S0347 | AuditCred | |
S0473 | Avenger |
Avenger has the ability to XOR encrypt files to be sent to C2.[23] |
S1081 | BADHATCH | |
S0534 | Bazar |
Bazar has used XOR, RSA2, and RC4 encrypted files.[25][26][27] |
S0574 | BendyBear | |
S0268 | Bisonal |
Bisonal's DLL file and non-malicious decoy file are encrypted with RC4 and some function name strings are obfuscated.[29][30] |
S0570 | BitPaymer |
BitPaymer has used RC4-encrypted strings and string hashes to avoid identifiable strings within the binary.[31] |
G1002 | BITTER | |
S0520 | BLINDINGCAN |
BLINDINGCAN has obfuscated code using Base64 encoding.[33] |
G0108 | Blue Mockingbird |
Blue Mockingbird has obfuscated the wallet address in the payload binary.[34] |
S0657 | BLUELIGHT | |
S0415 | BOOSTWRITE |
BOOSTWRITE has encoded its payloads using a ChaCha stream cipher with a 256-bit key and 64-bit Initialization vector (IV) to evade detection.[36] |
S0484 | Carberp |
Carberp has used XOR-based encryption to mask C2 server locations within the trojan.[37] |
S0348 | Cardinal RAT |
Cardinal RAT encodes many of its artifacts and is encrypted (AES-128) when downloaded.[38] |
S0462 | CARROTBAT |
CARROTBAT has the ability to download a base64 encoded payload.[39] |
S1041 | Chinoxy | |
S0667 | Chrommme |
Chrommme can encrypt sections of its code to evade detection.[41] |
S0046 | CozyCar |
The payload of CozyCar is encrypted with simple XOR with a rotating key. The CozyCar configuration file has been encrypted with RC4 keys.[42] |
C0029 | Cutting Edge |
During Cutting Edge, threat actors used a Base64-encoded Python script to write a patched version of the Ivanti Connect Secure |
S0497 | Dacls | |
S1014 | DanBot | |
G0070 | Dark Caracal |
Dark Caracal has obfuscated strings in Bandook by base64 encoding, and then encrypting them.[46] |
S1111 | DarkGate |
DarkGate drops an encrypted PE file, pe.bin, and decrypts it during installation.[47] DarkGate also uses custom base64 encoding schemas in later variations to obfuscate payloads.[48] |
G0012 | Darkhotel |
Darkhotel has obfuscated code using RC4, XOR, and RSA.[49][50] |
S0673 | DarkWatchman |
DarkWatchman has been delivered as compressed RAR payloads in ZIP files to victims.[51] |
S1033 | DCSrv | |
S1052 | DEADEYE | |
S0213 | DOGCALL | |
G0066 | Elderwood |
Elderwood has encrypted documents and malicious executables.[55] |
S0081 | Elise |
Elise encrypts several of its files, including configuration files.[56] |
S0082 | Emissary |
Variants of Emissary encrypt payloads using various XOR ciphers, as well as a custom algorithm that uses the "srand" and "rand" functions.[57][58] |
S0634 | EnvyScout | |
S0401 | Exaramel for Linux |
Exaramel for Linux uses RC4 for encrypting the configuration.[60][61] |
S0267 | FELIXROOT |
FELIXROOT encrypts strings in the backdoor using a custom XOR algorithm.[62][63] |
S0618 | FIVEHANDS |
The FIVEHANDS payload is encrypted with AES-128.[64][65][66] |
S0383 | FlawedGrace |
FlawedGrace encrypts its C2 configuration files with AES in CBC mode.[67] |
S0661 | FoggyWeb | |
G0117 | Fox Kitten |
Fox Kitten has base64 encoded payloads to avoid detection.[69] |
S1044 | FunnyDream |
FunnyDream can Base64 encode its C2 address stored in a template binary with the |
S0410 | Fysbis | |
S0168 | Gazer |
Gazer logs its actions into files that are encrypted with 3DES. It also uses RSA to encrypt resources.[71] |
S0666 | Gelsemium | |
S0493 | GoldenSpy |
GoldenSpy's uninstaller has base64-encoded its variables. [72] |
S0588 | GoldMax |
GoldMax has written AES-encrypted and Base64-encoded configuration files to disk.[73][74] |
S0531 | Grandoreiro |
The Grandoreiro payload has been delivered encrypted with a custom XOR-based algorithm and also as a base64-encoded ZIP file.[20][75][75] |
S0237 | GravityRAT |
GravityRAT supports file encryption (AES with the key "lolomycin2017").[76] |
S0342 | GreyEnergy |
GreyEnergy encrypts its configuration files with AES-256 and also encrypts its strings.[63] |
G0043 | Group5 |
Group5 disguised its malicious binaries with several layers of obfuscation, including encrypting the files.[77] |
S0391 | HAWKBALL |
HAWKBALL has encrypted the payload with an XOR-based algorithm.[78] |
S0170 | Helminth | |
S0697 | HermeticWiper |
HermeticWiper can compress 32-bit and 64-bit driver files with the Lempel-Ziv algorithm.[80][81][82] |
S0698 | HermeticWizard |
HermeticWizard has the ability to encrypt PE files with a reverse XOR loop.[83] |
S1027 | Heyoka Backdoor |
Heyoka Backdoor can encrypt its payload.[84] |
S0087 | Hi-Zor |
Hi-Zor uses various XOR techniques to obfuscate its components.[85] |
S0394 | HiddenWasp |
HiddenWasp encrypts its configuration and payload.[86] |
G0126 | Higaisa | |
S0601 | Hildegard | |
S0232 | HOMEFRY | |
S0431 | HotCroissant |
HotCroissant has encrypted strings with single-byte XOR and base64 encoded RC4.[91] |
S0398 | HyperBro |
HyperBro can be delivered encrypted to a compromised host.[92] |
S0483 | IcedID |
IcedID has utilzed encrypted binaries and base64 encoded strings.[93] |
G0100 | Inception |
Inception has encrypted malware payloads dropped on victim machines with AES and RC4 encryption.[94] |
S0581 | IronNetInjector |
IronNetInjector can obfuscate variable names, encrypt strings, as well as base64 encode and Rijndael encrypt payloads.[95] |
S0044 | JHUHUGIT |
Many strings in JHUHUGIT are obfuscated with a XOR algorithm.[96][97][8] |
S0487 | Kessel |
Kessel's configuration is hardcoded and RC4 encrypted within the binary.[98] |
S1020 | Kevin | |
S0387 | KeyBoy |
In one version of KeyBoy, string obfuscation routines were used to hide many of the critical values referenced in the malware.[100] |
S1051 | KEYPLUG |
KEYPLUG can use a hardcoded one-byte XOR encoded configuration file.[53] |
S0526 | KGH_SPY | |
S0356 | KONNI |
KONNI is heavily obfuscated and includes encrypted configuration files.[102] |
S0236 | Kwampirs |
Kwampirs downloads additional files that are base64-encoded and encrypted with another cipher.[103] |
G0032 | Lazarus Group |
Lazarus Group has used multiple types of encryption and encoding for their payloads, including AES, Caracachs, RC4, XOR, Base64, and other tricks such as creating aliases in code for Native API function names.[104][105][106][107][44][108][109] |
G0065 | Leviathan |
Leviathan has obfuscated code using base64 and gzip compression.[110] |
S0395 | LightNeuron |
LightNeuron encrypts its configuration files with AES-256.[111] |
S0451 | LoudMiner | |
S1060 | Mafalda |
Mafalda has been obfuscated and contains encrypted functions.[113] |
G0059 | Magic Hound |
Magic Hound malware has used base64-encoded files and has also encrypted embedded strings with AES.[114][115] |
G1026 | Malteiro |
Malteiro has used scripts encoded in Base64 certificates to distribute malware to victims.[116] |
G0045 | menuPass |
menuPass has encoded strings in its malware with base64 as well as with a simple, single-byte XOR obfuscation using key 0x40.[117][118][119] |
G1013 | Metador | |
S1059 | metaMain | |
S0455 | Metamorfo | |
S0339 | Micropsia |
Micropsia obfuscates the configuration with a custom Base64 and XOR.[123][124] |
S1015 | Milan |
Milan can encode files containing information about the targeted system.[125][99] |
S1122 | Mispadu |
Mispadu uses a custom algorithm to obfuscate its internal strings and uses hardcoded keys.[126] Mispadu also uses encoded configuration files and has encoded payloads using Base64.[126][127][116] |
G0103 | Mofang |
Mofang has compressed the ShimRat executable within malicious email attachments. Mofang has also encrypted payloads before they are downloaded to victims.[128] |
G0021 | Molerats |
Molerats has delivered compressed executables within ZIP files to victims.[129] |
S0284 | More_eggs |
More_eggs's payload has been encrypted with a key that has the hostname and processor family information appended to the end.[130] |
G1009 | Moses Staff |
Moses Staff has used obfuscated web shells in their operations.[52] |
S0256 | Mosquito |
Mosquito’s installer is obfuscated with a custom crypter to obfuscate the installer.[131] |
S0228 | NanHaiShu | |
C0002 | Night Dragon |
During Night Dragon, threat actors used a DLL that included an XOR-encoded section.[133] |
S1100 | Ninja |
The Ninja payload is XOR encrypted and compressed.[134] Ninja has also XORed its configuration data with a constant value of |
S0385 | njRAT | |
G0049 | OilRig |
OilRig has encrypted and encoded data in its malware, including by using base64.[137][138][139][140][141] |
C0022 | Operation Dream Job |
During Operation Dream Job, Lazarus Group encrypted malware such as DRATzarus with XOR and DLL files with base64.[142][143][144][145] |
C0016 | Operation Dust Storm |
During Operation Dust Storm, the threat actors encoded some payloads with a single-byte XOR, both skipping the key itself and zeroing in an attempt to avoid exposing the key; other payloads were Base64-encoded.[146] |
C0006 | Operation Honeybee |
During Operation Honeybee, the threat actors used Base64 to encode files with a custom key.[147] |
C0005 | Operation Spalax |
For Operation Spalax, the threat actors used XOR-encrypted payloads.[148] |
S0352 | OSX_OCEANLOTUS.D |
OSX_OCEANLOTUS.D encrypts its strings in RSA256 and encodes them in a custom base64 scheme and XOR.[149] |
S1050 | PcShare |
PcShare has been encrypted with XOR using different 32-long Base16 strings and compressed with LZW algorithm.[40] |
S0587 | Penquin |
Penquin has encrypted strings in the binary for obfuscation.[150] |
S0501 | PipeMon | |
S0113 | Prikormka |
Some resources in Prikormka are encrypted with a simple XOR operation or encoded with Base64.[152] |
S0613 | PS1 |
PS1 is distributed as a set of encrypted files and scripts.[153] |
G0024 | Putter Panda |
Droppers used by Putter Panda use RC4 or a 16-byte XOR key consisting of the bytes 0xA0 – 0xAF to obfuscate payloads.[154] |
S1032 | PyDCrypt |
PyDCrypt has been compiled and encrypted with PyInstaller, specifically using the --key flag during the build phase.[52] |
S0565 | Raindrop |
Raindrop encrypted its payload using a simple XOR algorithm with a single-byte key.[155][156] |
S0629 | RainyDay | |
S1113 | RAPIDPULSE |
RAPIDPULSE has the ability to RC4 encrypt and base64 encode decrypted files on compromised servers prior to writing them to stdout.[158] |
S0662 | RCSession |
RCSession can compress and obfuscate its strings to evade detection on a compromised host.[92] |
S0172 | Reaver | |
S0153 | RedLeaves |
A RedLeaves configuration file is encrypted with a simple XOR key, 0x53.[160] |
S0375 | Remexi | |
S0125 | Remsec |
Some data in Remsec is encrypted using RC5 in CBC mode, AES-CBC with a hardcoded key, RC4, or Salsa20. Some data is also base64-encoded.[162][163] |
S0496 | REvil |
REvil has used encrypted strings and configuration files.[164][165][166][167][168][169][170] |
S0433 | Rifdoor |
Rifdoor has encrypted strings with a single byte XOR algorithm.[91] |
S0448 | Rising Sun |
Configuration data used by Rising Sun has been encrypted using an RC4 stream algorithm.[171] |
S0074 | Sakula |
Sakula uses single-byte XOR obfuscation to obfuscate many of its files.[172] |
S0370 | SamSam |
SamSam has been seen using AES or DES to encrypt payloads and payload components.[173][174] |
S0345 | Seasalt | |
S1019 | Shark |
Shark can use encrypted and encoded files for C2 configuration.[125][176] |
G0121 | Sidewinder |
Sidewinder has used base64 encoding and ECDH-P256 encryption for payloads.[177][178][179] |
S0468 | Skidmap | |
S0633 | Sliver | |
S0226 | Smoke Loader |
Smoke Loader uses a simple one-byte XOR method to obfuscate values in the malware.[183][184] |
S1124 | SocGholish |
The SocGholish JavaScript payload has been delivered within a compressed ZIP archive.[185][186] SocGholish has also single or double Base-64 encoded references to its second-stage server URLs.[187] |
S0374 | SpeakUp | |
S1030 | Squirrelwaffle |
Squirrelwaffle has been obfuscated with a XOR-based algorithm.[189][190] |
S1037 | STARWHALE |
STARWHALE has been obfuscated with hex-encoded strings.[191] |
S0380 | StoneDrill |
StoneDrill has obfuscated its module with an alphabet-based table or XOR encryption.[192] |
S0491 | StrongPity |
StrongPity has used encrypted strings in its dropper component.[193][194] |
S0603 | Stuxnet |
Stuxnet uses encrypted configuration blocks and writes encrypted files to disk.[195] |
S0578 | SUPERNOVA | |
S0663 | SysUpdate |
SysUpdate can encrypt and encode its configuration file.[197] |
G1018 | TA2541 |
TA2541 has used compressed and char-encoded scripts in operations.[198] |
G0092 | TA505 | |
S0011 | Taidoor |
Taidoor can use encrypted string blocks for obfuscation.[200] |
G0139 | TeamTNT |
TeamTNT has encrypted its binaries via AES and encoded files using Base64.[201][202] |
G0027 | Threat Group-3390 |
A Threat Group-3390 tool can encrypt payloads using XOR. Threat Group-3390 malware is also obfuscated using Metasploit’s shikata_ga_nai encoder as well as compressed with LZNT1 compression.[203][204][205] |
S0665 | ThreatNeedle |
ThreatNeedle has been compressed and obfuscated using RC4, AES, or XOR.[206] |
S0131 | TINYTYPHON |
TINYTYPHON has used XOR with 0x90 to obfuscate its configuration file.[207] |
S0678 | Torisma | |
G0134 | Transparent Tribe |
Transparent Tribe has dropped encoded executables on compromised hosts.[208] |
S0266 | TrickBot |
TrickBot uses an AES CBC (256 bits) encryption algorithm for its loader and configuration files.[209] |
G0081 | Tropic Trooper |
Tropic Trooper has encrypted configuration files.[210][211] |
S0263 | TYPEFRAME |
APIs and strings in some TYPEFRAME variants are RC4 encrypted. Another variant is encoded with XOR.[212] |
S0022 | Uroburos |
Uroburos can use AES and CAST-128 encryption to obfuscate resources.[213] |
S0386 | Ursnif |
Ursnif has used an XOR-based algorithm to encrypt Tor clients dropped to disk.[214] Ursnif droppers have also been delivered as password-protected zip files that execute base64 encoded PowerShell commands.[215] |
S0136 | USBStealer |
Most strings in USBStealer are encrypted using 3DES and XOR and reversed.[216] |
S0257 | VERMIN |
VERMIN is obfuscated using the obfuscation tool called ConfuserEx.[217] |
S0180 | Volgmer |
A Volgmer variant is encoded using a simple XOR cipher.[218] |
S0612 | WastedLocker |
The WastedLocker payload includes encrypted strings stored within the .bss section of the binary file.[219] |
S0579 | Waterbear |
Waterbear has used RC4 encrypted shellcode and encrypted functions.[220] |
S0689 | WhisperGate |
WhisperGate can Base64 encode strings, store downloaded files in reverse byte order, and use the Eazfuscator tool to obfuscate its third stage.[221][222][223] |
G0107 | Whitefly | |
S0466 | WindTail |
WindTail can be delivered as a compressed, encrypted, and encoded payload.[225] |
S0430 | Winnti for Linux |
Winnti for Linux can encode its configuration file with single-byte XOR encoding.[226] |
S0141 | Winnti for Windows |
Winnti for Windows has the ability to encrypt and compress its payload.[227] |
S1065 | Woody RAT | |
S0388 | YAHOYAH |
YAHOYAH encrypts its configuration file using a simple algorithm.[229] |
S0230 | ZeroT | |
S0330 | Zeus Panda |
Zeus Panda encrypts strings with XOR. Zeus Panda also encrypts all configuration and settings in AES and RC4.[231][232] |
S0672 | Zox | |
S1013 | ZxxZ |
ZxxZ has been encoded to avoid detection from static analysis tools.[234] |
ID | Mitigation | Description |
---|---|---|
M1049 | Antivirus/Antimalware |
Anti-virus can be used to automatically detect and quarantine suspicious files, including those with high entropy measurements or with otherwise potentially malicious signs of obfuscation. |
M1040 | Behavior Prevention on Endpoint |
On Windows 10+, enable Attack Surface Reduction (ASR) rules to block execution of potentially obfuscated scripts.[235] Security tools should be configured to analyze the encoding properties of files and detect anomalies that deviate from standard encoding practices. |
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0022 | File | File Creation |
Monitor for files with large entropy which don’t match what is normal/expected given the file type and location. |
File Metadata |
Monitor for and analyze files which contain content with large entropy, as this may indicate potentially malicious compressed or encrypted data. |