- Home
- Techniques
- Mobile
- Data Encrypted
Data Encrypted
Data is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender. The encryption is performed by a utility, programming library, or custom algorithm on the data itself and is considered separate from any encryption performed by the command and control or file transfer protocol. Common file formats that can encrypt files are RAR and zip.
Procedure Examples
Name | Description |
---|---|
Anubis |
Anubis exfiltrates data encrypted (with RC4) by its ransomware module.[1] |
Desert Scorpion |
Desert Scorpion can encrypt exfiltrated data.[2] |
Exodus |
Exodus One encrypts data using XOR prior to exfiltration.[3] |
GolfSpy |
GolfSpy encrypts data using a simple XOR operation with a pre-configured key prior to exfiltration.[4] |
Triada |
Mitigations
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
Detection
Many encryption mechanisms are built into standard application-accessible APIs, and are therefore undetectable to the end user.
References
- M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020.
- A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.
- Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019.