- Home
- Techniques
- Enterprise
- Obfuscated Files or Information
- Compile After Delivery
Obfuscated Files or Information: Compile After Delivery
Other sub-techniques of Obfuscated Files or Information (5)
ID | Name |
---|---|
T1027.001 | Binary Padding |
T1027.002 | Software Packing |
T1027.003 | Steganography |
T1027.004 | Compile After Delivery |
T1027.005 | Indicator Removal from Tools |
Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.[1]
Source code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a Phishing. Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.[2]
Procedure Examples
Name | Description |
---|---|
Cardinal RAT |
Cardinal RAT and its watchdog component are compiled and executed after being delivered to victims as embedded, uncompiled source code.[3] |
Gamaredon Group |
Gamaredon Group has compiled the source code for a downloader directly on the infected system using the built-in |
MuddyWater |
MuddyWater has used the .NET csc.exe tool to compile executables from downloaded C# code.[1] |
njRAT |
njRAT has used AutoIt to compile the payload and main script into a single executable after delivery.[5] |
Rocke |
Rocke has compiled malware, delivered to victims as .c files, with the GNU Compiler Collection (GCC).[6] |
Mitigations
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
Detection
Monitor the execution file paths and command-line arguments for common compilers, such as csc.exe and GCC/MinGW, and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior. The compilation of payloads may also generate file creation and/or file write events. Look for non-native binary formats and cross-platform compiler and execution frameworks like Mono and determine if they have a legitimate purpose on the system.[2] Typically these should only be used in specific and limited cases, like for software development.
References
- ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.
- Trend Micro. (2019, February 11). Windows App Runs on Mac, Downloads Info Stealer and Adware. Retrieved April 25, 2019.
- Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018.
- Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.
- Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.
- Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019.