The MITRE ATT&CK T1027 Obfuscated Files or Information Technique

Keep up to date with latest blog posts

Picus Labs analyzed millions of adversary techniques and published the Red Report 2021 and the 10 Most Prevalent MITRE ATT&CK techniques used by adversaries. We are continuing our blog series on the techniques in the Top Ten list. 

This is the sixth blog of the series, and we explained the T1027 Obfuscated Files or Information technique of the MITRE ATT&CK framework. In the Red Report 2021, this technique is the sixth most used ATT&CK technique.

The Red Report 2021 - Top Ten MITRE ATT&CK Techniques

MITRE ATT&CK T1027 Obfuscated Files or Information

Adversaries obfuscate the contents of an executable or file by encrypting, encoding, compressing, or otherwise obscuring them on the system or in transit [1]. This is a common adversary behavior that can be used to bypass defenses across multiple platforms and the network.

What Are the Common Obfuscation Methods?

Adversaries obfuscate malicious files, codes, commands, configurations, and other information to avoid detection by security controls. The most common obfuscation methods are:

  • Changing the form of data: This method includes mechanisms that transform data to avoid detection, such as compression, archiving, packing, and archiving. Some of these mechanisms require user interaction to revert data to its original form, such as submitting a password to open a password-protected file.

  • Changing the size of data: This method includes mechanisms, such as binary padding that increase the size of a malicious file without affecting its functionality and behavior. The goal is to evade security tools that aren’t configured to scan files larger than a specific size.

  • Hiding malicious data: These mechanisms hide the malicious data in seemingly benign files. Before hiding in a file, the data can be split to decrease its detection rate. Steganography and HTML smuggling are some examples of this method.

  • Obfuscating or removing indicators: This method includes mechanisms that are used to obfuscate or remove indicators of compromise from malicious files to avoid detection. File signatures, environment variables, characters, section names, and other platform/language/application specific semantics are some indicators obfuscated/removed by attackers to bypass signature-based detections.

Subtechnique 1: T1027.001 Binary Padding

Binary padding is adding junk data to the original malware binary to alter the malware’s on-disk representation without affecting its functionality or behavior [2]. Adversaries use binary padding to bypass certain security scanners that ignore files larger than a specified size and avoid hash-based static controls.

Adversary Use of Binary Padding

The binary padding technique's primary goal is to increase the size of the malware binary to exceed the size limits of security tools and bypass them.

Some security tools are not designed or configured to scan large files. Picus Labs examined the current cloud and on-premise antivirus and antimalware tools. We encountered the default maximum file size values of 25 MB, 100 MB, 120 MB, 150 MB, and 200 MB. Files above the maximum file size will not be scanned by antivirus and antimalware tools. Of course, these tools also allow users to change or remove the size limit.

Malware ScanningFigure 1: Example of File Size Limit for Malware Scanning

Moreover, the maximum file size that public file scanning services can analyze is also limited. For example, the current file upload limit of VirusTotal is 650 MB.

In general, adversaries develop functions to generate junk data. For example, the Cerber ransomware used a function to concatenate a string (N4mQj8624F9Npw10s61F) 4,782,969 million times (3^14) and save the 95 MB output to a file [3]. Thus, Cerber employed binary padding by adding 95 MB junk data to its 254 KB original payload.

The second goal of binary padding is changing hash values of the malware binary to bypass static antivirus signatures and hash-based blocklists.

Subtechnique 2:  T1027.002 Software Packing

Software packing is a method that combines compression and encryption of software to reduce its size and prevent it from reverse-engineering. Adversaries use software packing to conceal malicious software and avoid signature-based detection by changing the file signature [4].

Adversary Use of Software Packing

Packers are utilities that are used for software packing. In most cases, packers can be loosely classified into three categories:

  • Compressing packers are used to distribute executables in a compressed format, primarily to reduce the file's size. 
  • Encrypting packers are used to encrypt or obfuscate the distributed executable to prevent end-users from reverse engineering it.
  • Hybrid packers are used to both compress and encrypt executable files.

For example, MPRESS and UPX are two examples of compressing packers, which are legitimately used to reduce the file size of executables. However, they are abused by malware developers to avoid signature-based detections. Additionally, packers can significantly slow down manual malware analysis, potentially enabling the malware for a longer dwell time. VMProtect, ASPack, Themida, Exe Packer, and Morphine are some other common packers.

There are some indicators that indicate an executable is packed:

  • Section names: The majority of packers will assign their own section names to sections within the binary. For example, 

    • UPX uses UPX0, UPX1

    • MPRESS uses MPRESS1, MPRESS2

    • VMProtect uses vmp0 and vmp1 as section names [5].

  • Entropy values: The entropy of a file is a measure of the randomness of the characters contained within the file. When a file is compressed or encrypted, it will have high entropy.

  • Import table: The Import Table of a packed file includes very few functions such as VirtualProtect, GetProcAddress, and LoadLibraryA, because the packed file hides the majority of the functions and leaves only those that are required during the unpacking process.

To decrease the detection rate, adversaries also use modified versions of packers. For example, Ares malware used a modified UPX; it replaced the default UPX section names (UPX0, UPX1, ...) with standard section names like .text, .data, and .rdata [6].

Subtechnique 3: T1027.003 Steganography

Steganography is a technique for concealing secret data within a non-secret file or message in order to avoid detection. Thus, the secret message's existence is frequently difficult to detect. Steganography can be used to conceal almost any type of digital file within another digital file, including image, video, audio, or text files. 

Steganography comes from two Greek words: steganos, which means "covered," and graphia, which means "writing." Steganography is an ancient practice that has been used in many forms to keep conversations hidden for thousands of years.

Although both cryptography and steganography share the nearly identical purpose of protecting a message or piece of information from third parties, they use entirely different approaches to protect the information. In cryptography, the content is concealed, and everyone knows that there is a secret message in the concealed content. However, in steganography, only the sender and intended recipient know the existence of the secret message. Modern digital steganography uses both steganography and cryptography. For example, the information to be hidden is first encrypted or obfuscated in some algorithms, then inserted into the cover file. 

Adversary Use of Steganography

Adversaries use steganography to prevent the detection of hidden information. 

Many security controls allow image file formats. Embedding malicious payloads with steganography into images and hosting them on legitimate image-hosting platforms or on compromised websites allows adversaries to bypass security controls. Downloading images from these websites does not raise suspicion. Thus, adversaries commonly hide malicious payloads in image files. 

  • The TEARDROP malware used in the SolarWinds breach reads from the file gracious_truth.jpg that includes a malicious payload [7]. 
  • The ObliqueRAT remote access trojan embeds its payloads as seemingly-innocent image files that are hidden on compromised websites [8]. In detail, a .ZIP file that contains the ObliqueRAT payload was embedded in a BMP image file.
  • The ICEDID loader connects to its command and control server to download a PNG file that contains RC4 encrypted data of the ICEDID malware [9]. The loader will decrypt the data and inject it into a svchost.exe instance.
  • Remcos RAT employs a custom steganography algorithm to conceal its payload in a PNG file and hosts payloads on a legitimate image hosting platform, Imgur [10].

Subtechnique 4: T1027.004 Compile After Delivery

The Compile After Delivery technique involves delivering malicious files to victims as uncompiled code to make files challenging to discover and analyze [11]. Malicious payloads as text-based source code files may bypass protections targeting executables/binaries. Prior to execution, these payloads must be compiled, typically using native utilities such as csc.exe or GCC/MinGW.

Adversary Use of Compile After Delivery

MuddyWater makes use of a program named csc.exe, which is included in the.NET framework and may be used to compile an executable from C# code [12]. The csc.exe is the command-line compiler of Visual C# that is built-in within the .NET framework runtime. This means that an attacker does not have to transfer a compiled executable to the target computer; instead, the attacker can obtain the source code and compile it on the target machine.

The Gamaredon group's .NET executable uses obfuscation techniques such as junk code insertion and string obfuscation. In its body, it contains a base64-encoded source code of a downloader. It decodes the source code and directly compiles it on the system, utilizing the built-in Microsoft. CSharp.CSharpCodeProvider class [13].

The SuperNova webshell used in the SolarWinds breach leveraged the CSharpCodeProvider mechanism for in-memory compilation of .NET assemblies [14].

The Sequre ransomware compiles its source code with csc.exe [15].

Subtechnique 5: T1027.005 Indicator Removal from Tools

If adversaries determine that their malicious tool was detected because of some indicators, they remove these indicators from the tool. Then, they use the updated version that is no longer detected by the target's security controls. This method is categorized as Indicator Removal from Tools in the MITRE ATT&CK framework [16].

Adversary Use of Indicator Removal from Tools

A typical example of this technique is changing the file signatures of a malware file. Suppose that an attacker realized that the malware was detected because of its file signature. Then, the attacker will modify the file to avoid that signature and use this updated version in subsequent attacks. For example, some threat actors use the hashbusting method to obfuscate the malware by subtly changing it on the fly. Thus, each sample has a different checksum.

  • Qakbot banking trojan uses this method to make the SHA256 hash of each payload downloaded from C2 servers unique [17]. 
  • TEMP.Veles threat actors continually modified binaries of the open-source cryptcat software to decrease AV detection rates [18].
  • The Turla threat group encodes the mutex name and the named pipe -strings that could be used as IoCs- in the new versions of the Gazer malware [19]. Moreover, the logfile names were hardcoded in the binary on the previous versions, but random file names were used in the new versions.
  • Patchwork modified the NDiskMonitor backdoor by adding four extra bytes of random uppercase and lowercase letters after the PE-referenced data in the overlay to change the file hashes [20]. These extra bytes don’t change the functionality of NDiskMonitor, since the Windows PE loader won't even load them into memory.

Subtechnique 6: T1027.006 HTML Smuggling

HTML smuggling is hiding malicious payloads inside of HTML files through JavaScript Blobs and/or HTML5 download attributes. By using the HTML smuggling technique, adversaries can evade content filters of security controls by concealing malicious payloads within seemingly benign HTML files [21]. 

Adversary Use of HTML Smuggling

HTML5 introduced the download attribute for anchor (<a>) tag. The download attribute indicates that when a user clicks on the hyperlink, the target (the file specified in the href attribute) will be downloaded.

<a href='/files/maliciousfile.doc' download='myfile.doc'>Click</a>

A download attribute can also be created using JavaScript instead of HTML:

var myAnchor = document.createElement('a');
myAnchor.download = 'myfile.doc';

Adversaries combine the download attribute with JavaScript Blobs (Binary Large Object). HTML documents have the ability to store large binary objects referred to as JavaScript Blobs [21]. A blob is a file-like object of immutable, raw data, and it can be read as text or binary data [22]. Adversaries can use blobs in HTML files to store their malicious payloads. Since the final content may have benign MIME types such as text/plain and/or text/html, web content filters may not identify smuggled malicious files inside of HTML/JS files [21].

A Blob can be constructed locally using pure JavaScript [23], [24]:

var myBlob = new Blob([maliciousData], {type: 'text/plain'});

This line creates a Blob of MIME type text/plain and fills it with the data contained in variable maliciousData. Then, using URL.creaateObjectURL, we can generate a URL from the Blob object and associate it with an anchor point, and a file name with the download attribute:

var myUrl = window.URL.createObjectURL(blob);
var myAnchor = document.createElement('a');
myAnchor.href = myUrl;
myAnchor.download = 'myfile.doc';

As an example, the NOBELIUM threat group effectively implements HTML smuggling [23]. Their EnvyScout tool is a malware dropper used by NOBELIM to de-obfuscate and write a malicious ISO file to disk. EnvyScout carries a payload in the form of an encrypted blob. This payload is decoded by XOR'ing each letter against a single-byte key, resulting in a Base64 payload that is subsequently decoded and written to disk.

Data URLs also enable malware developers to embed small malicious files inline in documents. For example, a base64 encoded malicious payload can be stored in a data URL with the following format:

data:[<text/plain>][;base64],<base64 encoded malicious payload>

Since the MIME type of this data URL is text/plain, it may evade some content filters.

References

[1]  “Obfuscated Files or Information.” https://attack.mitre.org/techniques/T1027/.

[2]  J. Segura, “Cerber ransomware delivered in format of a different order of Magnitude,” 09-Aug-2017.https://blog.malwarebytes.com/threat-analysis/2017/08/cerber-ransomware-delivered-format-different-order-magnitude/.

[3]  “Obfuscated Files or Information: Software Packing.” https://attack.mitre.org/techniques/T1027/002/.

[4]  T. Mathison, “Manually Unpacking Malware,” 23-Nov-2020. https://tdmathison.github.io/posts/Manually-unpacking-malware/.

[5]  “Ares - Technical Analysis.” https://www.zscaler.com/blogs/security-research/ares-malware-grandson-kronos-banking-trojan.

[6]  S. Özarslan, “Tactics, Techniques, and Procedures (TTPs) Used in the SolarWinds Breach.” https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach.

[7]  L. O’Donnell, “Compromised Website Images Camouflage ObliqueRAT Malware,” Threatpost, 02-Mar-2021. https://threatpost.com/website-images-obliquerat-malware/164395/.

[8]  “TA551 distributes new ICEDID malware.” https://success.trendmicro.com/solution/000283386.

[9]  https://www.bitdefender.com/files/News/CaseStudies/study/390/Bitdefender-PR-Whitepaper-Remcos-creat5080-en-EN-GenericUse.pdf.

[10]  “Obfuscated Files or Information: Compile After Delivery.” https://attack.mitre.org/techniques/T1027/004/.

[11]  https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf.

[12]  “Gamaredon group grows its game,” 11-Jun-2020. https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/.

[13]  M. Figueroa, “SolarWinds,” 24-Dec-2020. https://www.sentinelone.com/labs/solarwinds-understanding-detecting-the-supernova-webshell-trojan/.

[14]  “Sequre Ransomware compiles its own source code.” https://labs.vipre.com/sequre-ransomware-compiles-its-own-source-code/.

[15]  “Obfuscated Files or Information: Indicator Removal from Tools.” https://attack.mitre.org/techniques/T1027/005/.

[16]  “Qakbot Banking Trojan.” https://blog.cyberint.com/qakbot-banking-trojan.

[17]  “TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers.” https://www.mandiant.com/resources/triton-attribution-russian-government-owned-lab-most-likely-built-tools.

[18]  https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf.

[19]  https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf.

[20]  “Obfuscated Files or Information: HTML Smuggling.” https://attack.mitre.org/techniques/T1027/006/.

[21]  “Blob.” https://developer.mozilla.org/en-US/docs/Web/API/Blob.

[22]  Microsoft Threat Intelligence Center (MSTIC), “Breaking down NOBELIUM’s latest early-stage toolset,” 28-May-2021. https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/.

[23]  Outflank, “HTML smuggling explained.” http://www.outflank.nl/publications.

[24]  H. Carvey, “Indicators of lateral movement using at.exe on Windows 7 systems.” https://www.secureworks.com/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems.

Subscribe

Keep up to date with latest blog posts