Archive Collected Data: Archive via Library

An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party libraries. Many libraries exist that can archive data, including Python rarfile [1], libzip [2], and zlib [3]. Most libraries include functionality to encrypt and/or compress data.

Some archival libraries are preinstalled on systems, such as bzip2 on macOS and Linux, and zip on Windows. Note that the libraries are different from the utilities. The libraries can be linked against when compiling, while the utilities require spawning a subshell, or a similar execution mechanism.

ID: T1560.002
Sub-technique of:  T1560
Tactic: Collection
Platforms: Linux, Windows, macOS
Data Sources: Process command-line parameters, Process monitoring
Version: 1.0
Created: 20 February 2020
Last Modified: 29 March 2020

Procedure Examples

Name Description
BBSRAT

BBSRAT can compress data with ZLIB prior to sending it back to the C2 server.[9]

Cardinal RAT

Cardinal RAT applies compression to C2 traffic using the ZLIB library.[7]

Denis

Denis compressed collected data using zlib.[8]

Epic

Epic compresses the collected data with bzip2 before sending it to the C2 server.[5]

Lazarus Group

Lazarus Group malware IndiaIndia saves information gathered about the victim to a file that is compressed with Zlib, encrypted, and uploaded to a C2 server.[12][13]

SeaDuke

SeaDuke compressed data with zlib prior to sending it over C2.[4]

TajMahal

TajMahal has the ability to use the open source libraries XZip/Xunzip and zlib to compress files.[10]

Threat Group-3390

Threat Group-3390 has used RAR to compress, encrypt, and password-protect files prior to exfiltration.[11]

ZLib

The ZLib backdoor compresses communications using the standard Zlib compression library.[6]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

Monitor processes for accesses to known archival libraries. This may yield a significant number of benign events, depending on how systems in the environment are typically used.

Consider detecting writing of files with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.[14]

References