Currently viewing ATT&CK v8.2 which was live between October 27, 2020 and April 28, 2021. Learn more about the versioning system or see the live site.
TECHNIQUES
Enterprise
Reconnaissance
Active Scanning
Gather Victim Host Information
Gather Victim Identity Information
Gather Victim Network Information
Gather Victim Org Information
Phishing for Information
Search Closed Sources
Search Open Technical Databases
Search Open Websites/Domains
Resource Development
Acquire Infrastructure
Compromise Accounts
Compromise Infrastructure
Develop Capabilities
Establish Accounts
Obtain Capabilities
Initial Access
Phishing
Supply Chain Compromise
Valid Accounts
Execution
Command and Scripting Interpreter
Inter-Process Communication
Scheduled Task/Job
System Services
User Execution
Persistence
Account Manipulation
Boot or Logon Autostart Execution
Boot or Logon Initialization Scripts
Create Account
Create or Modify System Process
Event Triggered Execution
Hijack Execution Flow
Office Application Startup
Pre-OS Boot
Scheduled Task/Job
Server Software Component
Traffic Signaling
Valid Accounts
Privilege Escalation
Abuse Elevation Control Mechanism
Access Token Manipulation
Boot or Logon Autostart Execution
Boot or Logon Initialization Scripts
Create or Modify System Process
Domain Policy Modification
Event Triggered Execution
Hijack Execution Flow
Process Injection
Scheduled Task/Job
Valid Accounts
Defense Evasion
Abuse Elevation Control Mechanism
Access Token Manipulation
Domain Policy Modification
Execution Guardrails
File and Directory Permissions Modification
Hide Artifacts
Hijack Execution Flow
Impair Defenses
Indicator Removal on Host
Masquerading
Modify Authentication Process
Modify Cloud Compute Infrastructure
Modify System Image
Network Boundary Bridging
Obfuscated Files or Information
Pre-OS Boot
Process Injection
Signed Binary Proxy Execution
Signed Script Proxy Execution
Subvert Trust Controls
Traffic Signaling
Trusted Developer Utilities Proxy Execution
Use Alternate Authentication Material
Valid Accounts
Virtualization/Sandbox Evasion
Weaken Encryption
Credential Access
Brute Force
Credentials from Password Stores
Forge Web Credentials
Input Capture
Man-in-the-Middle
Modify Authentication Process
OS Credential Dumping
Steal or Forge Kerberos Tickets
Unsecured Credentials
Discovery
Account Discovery
Permission Groups Discovery
Software Discovery
Virtualization/Sandbox Evasion
Lateral Movement
Remote Service Session Hijacking
Remote Services
Use Alternate Authentication Material
Collection
Archive Collected Data
Data from Configuration Repository
Data from Information Repositories
Data Staged
Email Collection
Input Capture
Man-in-the-Middle
Command and Control
Application Layer Protocol
Data Encoding
Data Obfuscation
Dynamic Resolution
Encrypted Channel
Proxy
Traffic Signaling
Web Service
Exfiltration
Automated Exfiltration
Exfiltration Over Alternative Protocol
Exfiltration Over Other Network Medium
Exfiltration Over Physical Medium
Exfiltration Over Web Service
Impact
Data Manipulation
Defacement
Disk Wipe
Endpoint Denial of Service
Network Denial of Service
Mobile
Initial Access
Execution
Persistence
Privilege Escalation
Defense Evasion
Credential Access
Discovery
Lateral Movement
Collection
Command and Control
Exfiltration
Impact
Network Effects
Remote Service Effects
  1. Home
  2. Techniques
  3. Enterprise
  4. Obfuscated Files or Information
  5. Software Packing

Obfuscated Files or Information: Software Packing

ID Name
T1027.001 Binary Padding
T1027.002 Software Packing
T1027.003 Steganography
T1027.004 Compile After Delivery
T1027.005 Indicator Removal from Tools

Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.[1]

Utilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, [2] but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.

ID: T1027.002
Sub-technique of:  T1027
Tactic: Defense Evasion
Platforms: Windows, macOS
Data Sources: Binary file metadata
Defense Bypassed: Anti-virus, Heuristic detection, Signature-based detection
CAPEC ID: CAPEC-570
Contributors: Filip Kafka, ESET
Version: 1.0
Created: 05 February 2020
Last Modified: 05 February 2020

Procedure Examples

Name Description
Anchor

Anchor has come with a packed payload.[3]
APT29

APT29 used UPX to pack files.[4]
APT3

APT3 has been known to pack their tools.[5]
APT38

APT38 has used several code packing methods such as Themida, Enigma, VMProtect, and Obsidium, to pack their implants.[6]
APT39

APT39 has packed tools with UPX, and has repacked a modified version of Mimikatz to thwart anti-virus detection.[7][8]
Astaroth

Astaroth uses a software packer called Pe123\RPolyCryptor.[9]
China Chopper

China Chopper's client component is packed with UPX.[10]
Dark Caracal

Dark Caracal has used UPX to pack Bandook.[11]
DarkComet

DarkComet has the option to compress its payload using UPX or MPRESS.[12]
Daserf

A version of Daserf uses the MPRESS packer.[13]
Dyre

Dyre has been delivered with encrypted resources and must be unpacked for execution.[14]
Elderwood

Elderwood has packed malware payloads before delivery to victims.[15]
Emotet

Emotet has used custom packers to protect its payloads.[16]
FatDuke

FatDuke has been regularly repacked by its operators to create large binaries and evade detection.[17]
FinFisher

A FinFisher variant uses a custom packer.[18][19]
GreyEnergy

GreyEnergy is packed for obfuscation.[20]
H1N1

H1N1 uses a custom packing algorithm.[21]
HotCroissant

HotCroissant has used the open source UPX executable packer.[22]
IcedID

IcedID has packed and encrypted its loader module.[23]
jRAT

jRAT payloads have been packed.[24]
Lazarus Group

Lazarus Group has used Themida to pack at least two separate backdoor implants.[25]
Lokibot

Lokibot has used several packing methods for obfuscation.[26]
Machete

Machete has been packed with NSIS.[27]

Metamorfo

Metamorfo has used VMProtect to pack and protect files.[28]

Night Dragon

Night Dragon is known to use software packing in its tools.[29]
OopsIE

OopsIE uses the SmartAssembly obfuscator to pack an embedded .Net Framework assembly used for C2.[30]
OSX_OCEANLOTUS.D

OSX_OCEANLOTUS.D has a variant that is packed with UPX.[31]
Patchwork

A Patchwork payload was packed with UPX.[32]
Raindrop

Raindrop used a custom packer for its Cobalt Strike payload, which was compressed using the LZMA algorithm.[33][34]
Rocke

Rocke's miner has created UPX-packed files in the Windows Start Menu Folder.[35][36][37]
SDBot

SDBot has used a packed installer file.[38]
SeaDuke

SeaDuke has been packed with the UPX packer.[39]
ShimRat

ShimRat's loader has been packed with the compressed ShimRat core DLL and the legitimate DLL for it to hijack.[40]
Soft Cell

Soft Cell packed some payloads using different types of packers, both known and custom.[41]
TA505

TA505 has used UPX to obscure malicious code.[38]
The White Company

The White Company has obfuscated their payloads through packing.[42]
TrickBot

TrickBot leverages a custom packer to obfuscate its functionality.[43]
Trojan.Karagany

Trojan.Karagany samples sometimes use common binary packers such as UPX and Aspack on top of a custom Delphi binary packer.[44][45]
Uroburos

Uroburos uses a custom packer.[46]
Valak

Valak has used packed DLL payloads.[47]
VERMIN

VERMIN is initially packed.[48]
yty

yty packs a plugin with UPX.[49]
Zebrocy

Zebrocy's Delphi variant was packed with UPX.[50][51]
ZeroT

Some ZeroT DLL files have been packed with UPX.[52]

Mitigations

Mitigation Description
Antivirus/Antimalware

Employ heuristic-based malware detection. Ensure updated virus definitions and create custom signatures for observed malware.

Detection

Use file scanning to look for known software packers or artifacts of packing techniques. Packing is not a definitive indicator of malicious activity, because legitimate software may use packing techniques to reduce binary size or to protect proprietary code.

References

  1. Kafka, F. (2018, January). ESET's Guide to Deobfuscating and Devirtualizing FinFisher. Retrieved August 12, 2019.
  2. Executable compression. (n.d.). Retrieved December 4, 2014.
  3. Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020.
  4. Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved October 4, 2016.
  5. Korban, C, et al. (2017, September). APT3 Adversary Emulation Plan. Retrieved January 16, 2018.
  6. FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018.
  7. Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019.
  8. Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020.
  9. Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019.
  10. Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015.
  11. Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.
  12. Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018.
  13. Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017.
  14. hasherezade. (2015, November 4). A Technical Look At Dyreza. Retrieved June 15, 2020.
  15. O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved February 15, 2018.
  16. Trend Micro. (2019, January 16). Exploring Emotet's Activities . Retrieved March 25, 2019.
  17. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
  18. FinFisher. (n.d.). Retrieved December 20, 2017.
  19. Kaspersky Lab's Global Research & Analysis Team. (2017, October 16). BlackOasis APT and new targeted attacks leveraging zero-day exploit. Retrieved February 15, 2018.
  20. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
  21. Reynolds, J.. (2016, September 13). H1N1: Technical analysis reveals new capabilities. Retrieved September 26, 2016.
  22. Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020.
  23. Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020.
  24. Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.
  25. F-Secure Labs. (2020, August 18). Lazarus Group Campaign Targeting the Cryptocurrency Vertical. Retrieved September 1, 2020.
  26. Hoang, M. (2019, January 31). Malicious Activity Report: Elements of Lokibot Infostealer. Retrieved May 15, 2020.
  1. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
  2. Zhang, X.. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020.
  3. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
  4. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.
  5. Dumont, R.. (2019, April 9). OceanLotus: macOS malware update. Retrieved April 15, 2019.
  6. Kaspersky Lab's Global Research & Analysis Team. (2016, July 8). The Dropping Elephant – aggressive cyber-espionage in the Asian region. Retrieved August 3, 2016.
  7. Symantec Threat Hunter Team. (2021, January 18). Raindrop: New Malware Discovered in SolarWinds Investigation. Retrieved January 19, 2021.
  8. MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.
  9. Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020.
  10. Xingyu, J.. (2019, January 17). Malware Used by Rocke Group Evolves to Evade Detection by Cloud Security Products. Retrieved May 26, 2020.
  11. Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019.
  12. Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020.
  13. Grunzweig, J.. (2015, July 14). Unit 42 Technical Analysis: Seaduke. Retrieved August 3, 2016.
  14. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
  15. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
  16. Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019.
  17. Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018.
  18. Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
  19. Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020.
  20. Symantec. (2015, January 26). The Waterbug attack group. Retrieved April 10, 2015.
  21. Reaves, J. and Platt, J. (2020, June). Valak Malware and the Connection to Gozi Loader ConfCrew. Retrieved August 31, 2020.
  22. Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018.
  23. Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018.
  24. Lee, B., Falcone, R. (2018, December 12). Dear Joohn: The Sofacy Group’s Global Campaign. Retrieved April 19, 2019.
  25. Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.
  26. Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018.