Thanks to all of our ATT&CKcon participants. All sessions are here, and individual presentations will be posted soon.

File Deletion

Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process.

There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well. Examples include native cmd functions such as DEL, secure deletion tools such as Windows Sysinternals SDelete, or other third-party file deletion tools. [1]

ID: T1107

Tactic: Defense Evasion

Platform:  Linux, macOS, Windows

Permissions Required:  User

Data Sources:  File monitoring, Process command-line parameters, Binary file metadata

Defense Bypassed:  Host forensic analysis

Contributors:  Walker Johnson

Version: 1.0

Examples

NameDescription
ADVSTORESHELL

ADVSTORESHELL can delete files and directories.[2]

APT18

APT18 actors deleted tools and batch files from victim systems.[3]

APT28

APT28 has intentionally deleted computer files to cover their tracks, including with use of the program CCleaner.[4]

APT3

APT3 has a tool that can delete files.[5]

APT37

APT37 has access to destructive malware that is capable of overwriting a machine's Master Boot Record (MBR).[6][7]

Backdoor.Oldrea

Backdoor.Oldrea contains a cleanup module that removes traces of itself from the victim.[8]

Bankshot

Bankshot marks files to be deleted upon the next system reboot and uninstalls and removes itself from the system.[9]

BBSRAT

BBSRAT can delete files and directories.[10]

Bisonal

Bisonal deletes its dropper and VBS scripts from the victim’s machine.[11]

BLACKCOFFEE

BLACKCOFFEE has the capability to delete files.[12]

BlackEnergy

BlackEnergy 2 contains a "Destroy" plug-in that destroys data stored on victim hard drives by overwriting file contents.[13]

BRONZE BUTLER

The BRONZE BUTLER uploader or malware the uploader uses command to delete the RAR archives after they have been exfiltrated.[14]

Calisto

Calisto has the capability to use rm -rf to remove folders and files from the victim's machine.[15]

Carbanak

Carbanak has a command to delete files.[16]

Cherry Picker

Recent versions of Cherry Picker delete files and registry keys created by the malware.[17]

cmd

cmd can be used to delete files from the file system.[18]

Cobalt Group

Cobalt Group deleted the DLL dropper from the victim’s machine to cover their tracks.[19]

Derusbi

Derusbi is capable of deleting files. It has been observed loading a Linux Kernel Module (LKM) and then deleting it from the hard disk as well as overwriting the data with null bytes.[20][21]

Dragonfly 2.0

Dragonfly 2.0 deleted many of its files used during operations as part of cleanup, including removing applications and deleting screenshots.[22][23]

FALLCHILL

FALLCHILL can delete malware and associated artifacts from the victim.[24]

FELIXROOT

FELIXROOT deletes the .LNK file from the startup directory as well as the dropper components.[25]

FIN10

FIN10 has used batch scripts and scheduled tasks to delete critical system files.[26]

FIN5

FIN5 uses SDelete to clean up the environment and attempt to prevent detection.[27]

FIN8

FIN8 has deleted tmp and prefetch files during post compromise cleanup activities.[28]

FruitFly

FruitFly will delete files on the system.[29]

Gazer

Gazer has commands to delete files and persistence mechanisms from the victim.[30][31]

gh0st

gh0st RAT is able to delete files.[32]

Gold Dragon

Gold Dragon deletes one of its files, 2.hwp, from the endpoint after establishing persistence.[33]

Group5

Malware used by Group5 is capable of remotely deleting files from victims.[34]

H1N1

H1N1 deletes shadow copies from the victim.[35]

HALFBAKED

HALFBAKED can delete a specified file.[36]

Hi-Zor

Hi-Zor deletes its RAT installer file as it executes its DLL payload file.[37]

Honeybee

Honeybee removes batch files to reduce fingerprint on the system as well as deletes the CAB file that gets encoded upon infection.[38]

HTTPBrowser

HTTPBrowser deletes its original installer file once installation is complete.[39]

Hydraq

Hydraq creates a backdoor through which remote attackers can delete files.[40][41]

InnaputRAT

InnaputRAT has a command to delete files.[42]

InvisiMole

InvisiMole has a command to delete a file and deletes files after they have been successfully uploaded to C2 servers.[43]

JHUHUGIT

The JHUHUGIT dropper can delete itself from the victim. Another JHUHUGIT variant has the capability to delete specified files.[44][45]

JPIN

JPIN's installer/uninstaller component deletes itself if it encounters a version of Windows earlier than Windows XP or identifies security-related processes running.[46]

jRAT

jRAT has a function to delete files from the victim’s machine.[47]

Kazuar

Kazuar can delete files and optionally overwrite with random data beforehand.[48]

KEYMARBLE

KEYMARBLE has the capability to delete files off the victim’s machine.[49]

Komplex

The Komplex trojan supports file deletion.[50]

Lazarus Group

Lazarus Group malware deletes files in various ways, including "suicide scripts" to delete malware binaries from the victim. Lazarus Group also uses secure file deletion to delete files from the victim. Additionally, Lazarus Group malware SHARPKNOT overwrites and deletes the Master Boot Record (MBR) on the victim's machine.[51][52][53]

Linfo

Linfo creates a backdoor through which remote attackers can delete files.[54]

MacSpy

MacSpy deletes any temporary files it creates[55]

Magic Hound

Magic Hound has deleted and overwrote files to cover tracks.[56][57]

menuPass

A menuPass macro deletes files after it has decoded and decompressed them.[58]

Misdat

Misdat is capable of deleting the backdoor file.[59]

MoonWind

MoonWind can delete itself or specified files.[60]

More_eggs

More_eggs can remove itself from a system.[19]

Mosquito

Mosquito deletes files using DeleteFileW API call.[61]

MURKYTOP

has the capability to delete local files.[21]

NanHaiShu

NanHaiShu launches a script to delete their original decoy file to cover tracks.[62]

OilRig

OilRig has deleted files associated with their payload after execution.[63][64]

OopsIE

OopsIE has the capability to delete files and scripts from the victim's machine.[65]

Pasam

Pasam creates a backdoor through which remote attackers can delete files.[66]

Patchwork

Patchwork removed certain files and replaced them so they could not be retrieved.[67]

pngdowner

pngdowner deletes content from C2 communications that was saved to the user's temporary directory.[68]

PowerDuke

PowerDuke has a command to write random data across a file and delete it.[69]

POWERSTATS

POWERSTATS can wipe drives using PowerShell Remove-Item commands.[70]

Proton

Proton removes all files in the /tmp directory.[29]

Proxysvc

Proxysvc can wipe files indicated by the attacker and remove itself from disk using a batch file.[52]

Pteranodon

Pteranodon can delete files that may interfere with it executing. It also can delete temporary files and itself after the initial script executes.[71]

PUNCHBUGGY

PUNCHBUGGY can delete files written to disk.[28]

QUADAGENT

QUADAGENT has a command to delete its Registry key and scheduled task.[72]

Reaver

Reaver deletes the original dropped file from the victim.[73]

RedLeaves

RedLeaves can delete specified files.[74]

Remsec

Remsec is capable of deleting files on the victim. It also securely removes itself after collecting and exfiltrating data.[75][76][77]

RTM

RTM can delete all files created during its execution.[78]

RunningRAT

RunningRAT contains code to delete files from the victim’s machine.[33]

Sakula

Some Sakula samples use cmd.exe to delete temporary files.[79]

SDelete

SDelete deletes data in a way that makes it unrecoverable.[80]

SeaDuke

SeaDuke can securely delete files, including deleting itself from the victim.[81]

Shamoon

Shamoon attempts to overwrite operating system files with image files.[82][83]

TDTESS

TDTESS creates then deletes log files during installation of itself as a service.[84]

Threat Group-3390

Threat Group-3390 has deleted existing logs and exfiltrated file archives from a victim.[85]

TYPEFRAME

TYPEFRAME can delete files off the system.[86]

USBStealer

USBStealer has several commands to delete files associated with the malware from the victim.[87]

VERMIN

VERMIN can delete files on the victim’s machine.[88]

Volgmer

Volgmer can delete files and itself after infection to avoid analysis.[89]

WINDSHIELD

WINDSHIELD is capable of file deletion along with other file system interaction.[90]

Wingbird

Wingbird deletes its payload along with the payload's parent process after it finishes copying files.[91]

XAgentOSX

XAgentOSX contains the deletFileFromPath function to delete a specified file using the NSFileManager:removeFileAtPath method.[92]

Mitigation

Identify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to delete files, and audit and/or block them by using whitelisting [93] tools like AppLocker [94] [95] or Software Restriction Policies [96] where appropriate. [97]

Detection

It may be uncommon for events related to benign command-line functions such as DEL or third-party utilities or tools to be found in an environment, depending on the user base and how systems are typically used. Monitoring for command-line deletion functions to correlate with binaries or other files that an adversary may drop and remove may lead to detection of malicious activity. Another good practice is monitoring for known deletion and secure deletion tools that are not already on systems within an enterprise network that an adversary could introduce. Some monitoring tools may collect command-line arguments, but may not capture DEL commands since DEL is a native function within cmd.exe.

References

  1. Wilhoit, K. (2013, March 4). In-Depth Look: APT Attack Tools of the Trade. Retrieved December 2, 2015.
  2. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  3. Carvey, H.. (2014, September 2). Where you AT?: Indicators of lateral movement using at.exe on Windows 7 systems. Retrieved January 25, 2016.
  4. Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.
  5. Chen, X., Scott, M., Caselden, D.. (2014, April 26). New Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 Identified in Targeted Attacks. Retrieved January 14, 2016.
  6. FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.
  7. Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.
  8. Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
  9. Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018.
  10. Lee, B. Grunzweig, J. (2015, December 22). BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger. Retrieved August 19, 2016.
  11. Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018.
  12. FireEye Labs/FireEye Threat Intelligence. (2015, May 14). Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. Retrieved January 22, 2016.
  13. Baumgartner, K. and Garnaeva, M.. (2015, February 17). BE2 extraordinary plugins, Siemens targeting, dev fails. Retrieved March 24, 2016.
  14. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  15. Kuzin, M., Zelensky S. (2018, July 20). Calisto Trojan for macOS. Retrieved September 7, 2018.
  16. Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.
  17. Merritt, E.. (2015, November 16). Shining the Spotlight on Cherry Picker PoS Malware. Retrieved April 20, 2016.
  18. Microsoft. (n.d.). Del. Retrieved April 22, 2016.
  19. Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018.
  20. Fidelis Cybersecurity. (2016, February 29). The Turbo Campaign, Featuring Derusbi for 64-bit Linux. Retrieved March 2, 2016.
  21. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  22. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  23. US-CERT. (2017, October 20). Alert (TA17-293A): Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved November 2, 2017.
  24. US-CERT. (2017, November 22). Alert (TA17-318A): HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL. Retrieved December 7, 2017.
  25. Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved July 31, 2018.
  26. FireEye iSIGHT Intelligence. (2017, June 16). FIN10: Anatomy of a Cyber Extortion Operation. Retrieved June 25, 2017.
  27. Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017.
  28. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  29. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
  30. ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017.
  31. Kaspersky Lab's Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017.
  32. FireEye Threat Intelligence. (2015, July 13). Demonstrating Hustle, Chinese APT Groups Quickly Use Zero-Day Vulnerability (CVE-2015-5119) Following Hacking Team Leak. Retrieved January 25, 2016.
  33. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018.
  34. Scott-Railton, J., et al. (2016, August 2). Group5: Syria and the Iranian Connection. Retrieved September 26, 2016.
  35. Reynolds, J.. (2016, September 14). H1N1: Technical analysis reveals new capabilities – part 2. Retrieved September 26, 2016.
  36. Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.
  37. Fidelis Cybersecurity. (2015, December 16). Fidelis Threat Advisory #1020: Dissecting the Malware Involved in the INOCNATION Campaign. Retrieved March 24, 2016.
  38. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
  39. Desai, D.. (2015, August 14). Chinese cyber espionage APT group leveraging recently leaked Hacking Team exploits to target a Financial Services Firm. Retrieved January 26, 2016.
  40. Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018.
  41. Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018.
  42. ASERT Team. (2018, April 04). Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files. Retrieved July 9, 2018.
  43. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  44. ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016.
  45. Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018.
  46. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
  47. Sharma, R. (2018, August 15). Revamped jRAT Uses New Anti-Parsing Techniques. Retrieved September 21, 2018.
  48. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.
  49. US-CERT. (2018, August 09). MAR-10135536-17 – North Korean Trojan: KEYMARBLE. Retrieved August 16, 2018.
  1. Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.
  2. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  3. Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018.
  4. US-CERT. (2018, March 09). Malware Analysis Report (MAR) - 10135536.11.WHITE. Retrieved June 13, 2018.
  5. Zhou, R. (2012, May 15). Backdoor.Linfo. Retrieved February 23, 2018.
  6. PETER EWANE. (2017, June 9). MacSpy: OS X RAT as a Service. Retrieved September 21, 2018.
  7. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
  8. Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018.
  9. Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018.
  10. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved September 19, 2017.
  11. Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017.
  12. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.
  13. F-Secure Labs. (2016, July). NANHAISHU RATing the South China Sea. Retrieved July 6, 2018.
  14. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
  15. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.
  16. Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018.
  17. Mullaney, C. & Honda, H. (2012, May 4). Trojan.Pasam. Retrieved February 22, 2018.
  18. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  19. Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
  20. Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
  21. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
  22. Kasza, A. and Reichel, D.. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
  23. Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.
  24. Grunzweig, J. and Miller-Osborn, J. (2017, November 10). New Malware with Ties to SunOrcal Discovered. Retrieved November 16, 2017.
  25. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  26. Symantec Security Response. (2016, August 8). Backdoor.Remsec indicators of compromise. Retrieved August 17, 2016.
  27. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Retrieved August 17, 2016.
  28. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
  29. Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  30. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016.
  31. Russinovich, M. (2016, July 4). SDelete v2.0. Retrieved February 8, 2018.
  32. Symantec Security Response. (2015, July 13). “Forkmeiamfamous”: Seaduke, latest weapon in the Duke armory. Retrieved July 22, 2015.
  33. FireEye. (2016, November 30). FireEye Responds to Wave of Destructive Cyber Attacks in Gulf Region. Retrieved January 11, 2017.
  34. Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.
  35. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.
  36. Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.
  37. US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.
  38. Calvet, J. (2014, November 11). Sednit Espionage Group Attacking Air-Gapped Networks. Retrieved January 4, 2017.
  39. Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018.
  40. US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018.
  41. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
  42. Anthe, C. et al. (2016, December 14). Microsoft Security Intelligence Report Volume 21. Retrieved November 27, 2017.
  43. Robert Falcone. (2017, February 14). XAgentOSX: Sofacy's Xagent macOS Tool. Retrieved July 12, 2017.
  44. Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.
  45. Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.
  46. NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.
  47. Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.
  48. Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.