1. Home
  2. Techniques
  3. Enterprise
  4. Archive Collected Data
  5. Archive via Library

Archive Collected Data: Archive via Library

ID Name
T1560.001 Archive via Utility
T1560.002 Archive via Library
T1560.003 Archive via Custom Method

An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party libraries. Many libraries exist that can archive data, including Python rarfile [1], libzip [2], and zlib [3]. Most libraries include functionality to encrypt and/or compress data.

Some archival libraries are preinstalled on systems, such as bzip2 on macOS and Linux, and zip on Windows. Note that the libraries are different from the utilities. The libraries can be linked against when compiling, while the utilities require spawning a subshell, or a similar execution mechanism.

ID: T1560.002
Sub-technique of:  T1560
Tactic: Collection
Platforms: Linux, Windows, macOS
Version: 1.0
Created: 20 February 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
S0642 BADFLICK

BADFLICK has compressed data using the aPLib compression library.[4]
S0127 BBSRAT

BBSRAT can compress data with ZLIB prior to sending it back to the C2 server.[5]
S0348 Cardinal RAT

Cardinal RAT applies compression to C2 traffic using the ZLIB library.[6]
S0354 Denis

Denis compressed collected data using zlib.[7]
S0091 Epic

Epic compresses the collected data with bzip2 before sending it to the C2 server.[8]
S0661 FoggyWeb

FoggyWeb can invoke the Common.Compress method to compress data with the C# GZipStream compression class.[9]
S1044 FunnyDream

FunnyDream has compressed collected files with zLib.[10]
S0260 InvisiMole

InvisiMole can use zlib to compress and decompress data.[11][12]
G0032 Lazarus Group

Lazarus Group malware IndiaIndia saves information gathered about the victim to a file that is compressed with Zlib, encrypted, and uploaded to a C2 server.[13][14]
S1141 LunarWeb

LunarWeb can zlib-compress data prior to exfiltration.[15]
S0352 OSX_OCEANLOTUS.D

OSX_OCEANLOTUS.D scrambles and encrypts data using AES256 before sending it to the C2 server.[16][17]
S0053 SeaDuke

SeaDuke compressed data with zlib prior to sending it over C2.[18]
S0467 TajMahal

TajMahal has the ability to use the open source libraries XZip/Xunzip and zlib to compress files.[19]
G0027 Threat Group-3390

Threat Group-3390 has used RAR to compress, encrypt, and password-protect files prior to exfiltration.[20]
S0086 ZLib

The ZLib backdoor compresses communications using the standard Zlib compression library.[21]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0268 Detect Archiving via Library (T1560.002) AN0747

Detects adversarial archiving using libraries (zlib, zip APIs) invoked by scripts or binaries. Correlates process executions of Python, PowerShell, or custom .NET binaries with DLL/module loads linked to compression libraries, followed by archive file creation.
AN0748

Detects adversarial archiving by scripts or binaries calling compression libraries (libzip, zlib, bzip2). Correlates execution of Python, Perl, or compiled binaries with dynamic linking to archiving libraries and creation of compressed files in /tmp or user directories.
AN0749

Detects malicious archiving via system or third-party libraries (libz, libarchive) invoked by Python, Swift, or Objective-C binaries. Correlates unified logs of library loads with creation of compressed or encrypted archives (.zip, .gz, .bz2, .dmg).

References

  1. mkz. (2020). rarfile 3.1. Retrieved February 20, 2020.
  2. D. Baron, T. Klausner. (2020). libzip. Retrieved February 20, 2020.
  3. madler. (2017). zlib. Retrieved February 20, 2020.
  4. Accenture iDefense Unit. (2019, March 5). Mudcarp's Focus on Submarine Technologies. Retrieved August 24, 2021.
  5. Lee, B. Grunzweig, J. (2015, December 22). BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger. Retrieved August 19, 2016.
  6. Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018.
  7. Shulmin, A., Yunakovsky, S. (2017, April 28). Use of DNS Tunneling for C&C Communications. Retrieved November 5, 2018.
  8. Kaspersky Lab's Global Research & Analysis Team. (2014, August 06). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroboros. Retrieved November 7, 2018.
  9. Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021.
  10. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
  11. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  1. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
  2. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016.
  3. Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018.
  4. Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024.
  5. Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018.
  6. Magisa, L. (2020, November 27). New MacOS Backdoor Connected to OceanLotus Surfaces. Retrieved December 2, 2020.
  7. Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved September 12, 2024.
  8. GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019.
  9. Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.
  10. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.