Obfuscated Files or Information

Adversaries may attempt to make a payload or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the device or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.

Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Portions of files can also be encoded to hide the plaintext strings that would otherwise help defenders with discovery. Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled.[1]

ID: T1406
Sub-techniques:  T1406.001, T1406.002
Tactic Type: Post-Adversary Device Access
Tactic: Defense Evasion
Platforms: Android, iOS
MTC ID: APP-21
Version: 3.1
Created: 25 October 2017
Last Modified: 09 August 2023

Procedure Examples

ID Name Description
S1061 AbstractEmu

AbstractEmu has encoded files, such as exploit binaries, to potentially use during and after the rooting process.[2]

S1095 AhRat

AhRat can use an encryption key received from its C2 to encrypt and decrypt configuration files and exfiltrated data.[3]

S0525 Android/AdDisplay.Ashas

Android/AdDisplay.Ashas has hidden the C2 server address using base-64 encoding. [4]

S0524 AndroidOS/MalLocker.B

AndroidOS/MalLocker.B has employed both name mangling and meaningless variable names in source. AndroidOS/MalLocker.B has stored encrypted payload code in the Assets directory, coupled with a custom decryption routine that assembles a .dex file by passing data through Android Intent objects. [1]

S0540 Asacub

Asacub has stored encrypted strings in the APK file.[5]

S0293 BrainTest

BrainTest stores a secondary Android app package (APK) in its assets directory in encrypted form, and decrypts the payload at runtime.[6]

S1094 BRATA

BRATA has employed code obfuscation and encryption of configuration files.[7][8]

S0432 Bread

Bread uses various tricks to obfuscate its strings including standard and custom encryption, programmatically building strings at runtime, and splitting unencrypted strings with repeated delimiters to break up keywords. Bread has also abused Java and JavaScript features to obfuscate code. Bread payloads have hidden code in native libraries and encrypted JAR files in the data section of an ELF file. Bread has stored DEX payloads as base64-encoded strings in the Android manifest and internal Java classes.[9][10]

C0033 C0033

During C0033, PROMETHIUM used StrongPity to obfuscate code and strings to evade detection.[11]

S0529 CarbonSteal

CarbonSteal has used incorrect file extensions and encryption to hide most of its assets, including secondary APKs, configuration files, and JAR or DEX files.[12]

S0480 Cerberus

Cerberus uses standard payload and string obfuscation techniques.[13]

S0323 Charger

Charger encodes strings into binary arrays to make it difficult to inspect them. It also loads code from encrypted resources dynamically and includes meaningless commands that mask the actual commands passing through.[14]

S0555 CHEMISTGAMES

CHEMISTGAMES has encrypted its DEX payload.[15]

S0550 DoubleAgent

DoubleAgent has used an AES encrypted file in the assets folder with an unsuspecting name (e.g. ‘GoogleMusic.png’) for holding configuration and C2 information.[12]

S1054 Drinik

Drinik has used custom encryption to hide strings, potentially to evade antivirus products.[16]

S0420 Dvmap

Dvmap decrypts executables from archive files stored in the assets directory of the installation binary.[17]

S0478 EventBot

EventBot dynamically loads its malicious functionality at runtime from an RC4-encrypted TTF file. EventBot also utilizes ProGuard to obfuscate the generated APK file.[18]

S0509 FakeSpy

FakeSpy stores its malicious code in encrypted asset files that are decrypted at runtime. Newer versions of FakeSpy encrypt the C2 address.[19]

S0408 FlexiSpy

FlexiSpy encrypts its configuration file using AES.[20]

S1067 FluBot

FluBot can obfuscated class, string, and method names in newer malware versions.[21]

S0423 Ginp

Ginp obfuscates its payload, code, and strings.[22]

S0421 GolfSpy

GolfSpy encodes its configurations using a customized algorithm.[23]

S0536 GPlayed

GPlayed has base64-encoded the exfiltrated data, replacing some of the base64 characters to further obfuscate the data.[24]

S0406 Gustuff

Gustuff obfuscated command information using a custom base85-based encoding.[25]

S0544 HenBox

HenBox has obfuscated components using XOR, ZIP with a single-byte key or ZIP/Zlib compression wrapped with RC4 encryption.[26]

S0463 INSOMNIA

INSOMNIA obfuscates various pieces of information within the application.[27]

S0485 Mandrake

Mandrake obfuscates its hardcoded C2 URLs.[28]

S0407 Monokle

Monokle uses XOR to obfuscate its second stage binary.[29]

S0286 OBAD

OBAD contains encrypted code along with an obfuscated decryption routine to make it difficult to analyze.[30]

S0399 Pallas

Pallas stores domain information and URL paths as hardcoded AES-encrypted, base64-encoded strings.[31]

S0539 Red Alert 2.0

Red Alert 2.0 has stored data embedded in the strings.xml resource file.[32]

S0411 Rotexy

Starting in 2017, the Rotexy DEX file was packed with garbage strings and/or operations.[33]

S1055 SharkBot

SharkBot can use a Domain Generation Algorithm to decode the C2 server location.[34]

S0549 SilkBean

SilkBean has hidden malicious functionality in a second stage file and has encrypted C2 server information.[12]

S0545 TERRACOTTA

TERRACOTTA has stored encoded strings.[35]

S1056 TianySpy

TianySpy has encrypted C2 details, email addresses, and passwords.[36]

S0427 TrickMo

TrickMo contains obfuscated function, class, and variable names, and encrypts its shared preferences using Java’s PBEWithMD5AndDES algorithm.[37]

G0112 Windshift

Windshift has encrypted application strings using AES in ECB mode and Blowfish, and stored strings encoded in hex during Operation BULL. Further, in Operation BULL, encryption keys were stored within the application’s launcher icon file.[38]

S0312 WireLurker

WireLurker obfuscates its payload through complex code structure, multiple component versions, file hiding, code obfuscation and customized encryption to thwart anti-reversing.[39]

S0489 WolfRAT

WolfRAT’s code is obfuscated.[40]

S0318 XLoader for Android

XLoader for Android loads an encrypted DEX code payload.[41]

S0494 Zen

Zen base64 encodes one of the strings it searches for.[42]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

ID Data Source Data Component Detects
DS0041 Application Vetting API Calls

Dynamic analysis, when used in application vetting, may in some cases be able to identify malicious code in obfuscated or encrypted form by detecting the code at execution time (after it is deobfuscated or decrypted). Some application vetting techniques apply reputation analysis of the application developer and can alert to potentially suspicious applications without actual examination of application code.

References

  1. D. Venkatesan. (2020, October 8). Sophisticated new Android malware marks the latest evolution of mobile ransomware . Retrieved October 29, 2020.
  2. P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.
  3. Lukas Stefanko. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved December 18, 2023.
  4. L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020.
  5. T. Shishkova. (2018, August 28). The rise of mobile banker Asacub. Retrieved December 14, 2020.
  6. Chris Dehghanpoor. (2016, January 6). Brain Test re-emerges: 13 apps found in Google Play Read more: Brain Test re-emerges: 13 apps found in Google Play. Retrieved December 21, 2016.
  7. Federico Valentini, Francesco Lubatti. (2022, January 24). How BRATA is monitoring your bank account. Retrieved December 18, 2023.
  8. Fernando Ruiz. (2021, April 12). BRATA Keeps Sneaking into Google Play, Now Targeting USA and Spain. Retrieved December 18, 2023.
  9. Hazum, A., Melnykov, B., Wernik, I.. (2020, July 9). New Joker variant hits Google Play with an old trick. Retrieved July 20, 2020.
  10. A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020.
  11. Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023.
  12. A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.
  13. Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.
  14. Oren Koriat and Andrey Polkovnichenko. (2017, January 24). Charger Malware Calls and Raises the Risk on Google Play. Retrieved January 24, 2017.
  15. B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020.
  16. Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023.
  17. R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019.
  18. D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020.
  19. O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.
  20. K. Lu. (n.d.). Deep Technical Analysis of the Spyware FlexiSpy for Android. Retrieved September 10, 2019.
  21. Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.
  1. ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.
  2. E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.
  3. V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.
  4. Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019.
  5. A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.
  6. A. Case, D. Lassalle, M. Meltzer, S. Koessel, et al.. (2020, April 21). Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant. Retrieved June 2, 2020.
  7. R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.
  8. Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.
  9. Veo Zhang. (2013, June 13). Cybercriminals Improve Android Malware Stealth Routines with OBAD. Retrieved December 9, 2016.
  10. Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.
  11. J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020.
  12. T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019.
  13. RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.
  14. Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020.
  15. Trend Micro. (2022, January 25). TianySpy Malware Uses Smishing Disguised as Message From Telco. Retrieved January 11, 2023.
  16. P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.
  17. The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.
  18. Claud Xiao. (2014, November 5). WireLurker: A New Era in OS X and iOS Malware. Retrieved January 24, 2017.
  19. W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19). The wolf is back... . Retrieved July 20, 2020.
  20. Lorin Wu. (2018, April 19). XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing. Retrieved July 6, 2018.
  21. Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020.