Archive Collected Data: Archive via Utility
Other sub-techniques of Archive Collected Data (3)
ID | Name |
---|---|
T1560.001 | Archive via Utility |
T1560.002 | Archive via Library |
T1560.003 | Archive via Custom Method |
An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities. Many utilities exist that can archive data, including 7-Zip[1], WinRAR[2], and WinZip[3]. Most utilities include functionality to encrypt and/or compress data.
Some 3rd party utilities may be preinstalled, such as tar
on Linux and macOS or zip
on Windows systems.
Procedure Examples
Name | Description |
---|---|
APT1 |
APT1 has used RAR to compress files before moving them outside of the victim network.[4] |
APT3 |
APT3 has used tools to compress data before exfilling it.[5] |
APT33 | |
APT39 |
APT39 has used WinRAR and 7-Zip to compress an archive stolen data. [7] |
APT41 |
APT41 created a RAR archive of targeted files for exfiltration.[8] |
BRONZE BUTLER |
BRONZE BUTLER has compressed data into password-protected RAR archives prior to exfiltration.[9][10] |
Calisto |
Calisto uses the |
Chimera |
Chimera has used modified RAR software to archive data with a password.[13] |
CopyKittens |
CopyKittens uses ZPP, a .NET console program, to compress files with ZIP.[14] |
CORALDECK |
CORALDECK has created password-protected RAR, WinImage, and zip archives to be exfiltrated.[15] |
Daserf |
Daserf hides collected data in password-protected .rar archives.[16] |
DustySky |
DustySky can compress files via RAR while staging data to be exfiltrated.[17] |
FIN8 |
FIN8 has used RAR to compress collected data before Exfiltration.[18] |
Gallmaker |
Gallmaker has used WinZip, likely to archive data prior to exfiltration.[19] |
iKitten |
iKitten will zip up the /Library/Keychains directory before exfiltrating it.[20] |
InvisiMole |
InvisiMole uses WinRAR to compress data that is intended to be exfiltrated.[21] |
Ke3chang |
Ke3chang is known to use RAR with passwords to encrypt data prior to exfiltration.[22] |
Magic Hound |
Magic Hound has used RAR to stage and compress local folders.[23] |
menuPass |
menuPass has compressed files before exfiltration using TAR and RAR.[24][25] |
Micropsia |
Micropsia creates a RAR archive based on collected files on the victim's machine.[26] |
MuddyWater |
MuddyWater has used the native Windows cabinet creation tool, makecab.exe, likely to compress stolen data to be uploaded.[27] |
Okrum |
Okrum was seen using a RAR archiver tool to compress/decompress data.[28] |
OopsIE |
OopsIE compresses collected files with GZipStream before sending them to its C2 server.[29] |
PoetRAT | |
PoshC2 |
PoshC2 contains a module for compressing data using ZIP.[31] |
PowerShower |
PowerShower has used 7Zip to compress .txt, .pdf, .xls or .doc files prior to exfiltration.[32] |
PUNCHBUGGY |
PUNCHBUGGY has Gzipped information and saved it to a random temp file before exfil.[33] |
Pupy |
Pupy can compress data with Zip before sending it over C2.[34] |
Ramsay |
Ramsay can compress and archive collected files using WinRAR.[35] |
Soft Cell |
Soft Cell used WinRAR to compress and encrypt stolen data prior to exfiltration.[36] |
Sowbug |
Sowbug extracted documents and bundled them into a RAR archive.[37] |
Turla |
Turla has encrypted files stolen from connected USB drives into a RAR file before exfiltration.[38] |
UNC2452 |
UNC2452 used 7-Zip to compress stolen emails into password-protected archives prior to exfiltration.[39][40] |
WindTail |
WindTail has the ability to use the macOS built-in zip utility to archive files.[41] |
Mitigations
Mitigation | Description |
---|---|
Audit |
System scans can be performed to identify unauthorized archival utilities. |
Detection
Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known archival utilities. This may yield a significant number of benign events, depending on how systems in the environment are typically used.
Consider detecting writing of files with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.[42]
References
- I. Pavlov. (2019). 7-Zip. Retrieved February 20, 2020.
- A. Roshal. (2020). RARLAB. Retrieved February 20, 2020.
- Corel Corporation. (2020). WinZip. Retrieved February 20, 2020.
- Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
- valsmith. (2012, September 21). More on APTSim. Retrieved September 28, 2017.
- Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.
- Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019.
- Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
- Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
- Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.
- Kuzin, M., Zelensky S. (2018, July 20). Calisto Trojan for macOS. Retrieved September 7, 2018.
- Pantig, J. (2018, July 30). OSX.Calisto. Retrieved September 7, 2018.
- Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020.
- ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.
- FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.
- DiMaggio, J. (2016, April 28). Tick cyberespionage group zeros in on Japan. Retrieved July 16, 2018.
- GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020.
- Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
- Symantec Security Response. (2018, October 10). Gallmaker: New Attack Group Eschews Malware to Live off the Land. Retrieved November 27, 2018.
- Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
- Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
- Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.
- Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018.
- PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017.
- PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
- Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018.
- Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018.
- Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.
- Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.
- Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020.
- Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019.
- GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020.
- Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019.
- Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
- Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020.
- Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
- Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017.
- Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019.
- Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020.
- MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.
- Wardle, Patrick. (2019, January 15). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 2). Retrieved October 3, 2019.
- Wikipedia. (2016, March 31). List of file signatures. Retrieved April 22, 2016.