1. Home
  2. Techniques
  3. Enterprise
  4. 归档收集数据

归档收集数据

ID Name
T1560.001 多层嵌套压缩加密
T1560.002 隐写式数据封装
T1560.003 分片式时空分离归档
T1560.004 合法文件格式伪装

归档收集数据是攻击者在渗透过程中对窃取信息进行压缩加密处理的技术,旨在降低数据泄露风险并规避检测。攻击者通常使用系统自带工具(如tar、zip)或第三方库对数据进行归档处理,防御方可通过对压缩工具进程的监控、异常命令行参数检测,以及网络流量中加密文件特征的识别来进行防护。现有检测手段主要依赖文件头特征分析、熵值检测和传输行为异常识别等技术。

为应对传统检测方法,攻击者发展出融合密码学、隐写术与协议仿真的新型归档技术,通过多模态隐匿手段突破基于单一特征检测的防御体系。这些技术将数据隐匿过程解构为格式伪装、时空分散、信息隐藏等多个维度,形成具有自适应能力的动态匿迹系统。

当前归档数据匿迹技术的核心演进方向是构建多维融合的隐匿生态。多层嵌套压缩加密通过算法组合复杂度对抗密码分析,隐写式封装实现数据在载体文件中的不可见存储,分片归档利用传输协议的异构性稀释特征浓度,格式伪装则突破人工审计与自动化检测的协同防御。这些技术的共性在于:①采用纵深加密体系增加数据恢复难度;②利用合法业务流量特征构建传输掩护;③引入环境感知机制动态调整隐匿策略。例如分片传输技术结合时间延迟与协议跳变,使防御方难以建立有效的流量关联分析;格式伪装技术通过深度仿真常见文档结构,将恶意归档文件融入日常文件交换场景。

匿迹技术的发展导致传统基于文件特征识别的检测方法逐渐失效,防御方需构建多维特征融合分析模型,结合数据流时空关联分析、隐写检测算法增强,以及行为链溯源能力,建立覆盖数据预处理、传输、重组全周期的防护体系。

ID: T1560
Sub-techniques:  T1560.001, T1560.002, T1560.003, T1560.004
Tactic: 信息收集
Platforms: Linux, Windows, macOS
Version: 1.0
Created: 20 February 2020
Last Modified: 20 January 2024

匿迹效应

效应类型 是否存在
特征伪装
行为透明
数据遮蔽
时空释痕

特征伪装

攻击者通过精确仿冒合法文件格式的头部结构、元数据特征,使加密压缩数据呈现为正常文档或系统文件。例如将窃密数据封装成具有标准DOCX文件结构的文档,在文件资源管理器中显示合规图标与预览内容。这种深度伪装使防御方难以通过表面特征识别异常文件。

数据遮蔽

采用多层加密算法(如AES+RSA混合加密)对归档数据进行端到端加密,结合压缩改变数据熵值分布。加密过程在内存中完成且不遗留临时文件,确保从存储到传输的全链路数据不可读性,有效规避内容检测。

时空释痕

通过分片传输机制将完整数据包拆解为多个微片段,经由不同时间窗口和网络通道分别传输。这种时空分离策略稀释了数据泄露的集中特征,使得传统基于单次大文件传输的检测模型失效,防御方难以通过局部流量捕获发现完整攻击链。

Procedure Examples

ID Name Description
S0045 ADVSTORESHELL

ADVSTORESHELL encrypts with the 3DES algorithm and a hardcoded key prior to exfiltration.[1]
S0331 Agent Tesla

Agent Tesla can encrypt data with 3DES before sending it over to a C2 server.[2]
S0622 AppleSeed

AppleSeed has compressed collected data before exfiltration.[3]
G0007 APT28

APT28 used a publicly available tool to gather and compress multiple documents on the DCCC and DNC networks.[4]
G0050 APT32

APT32's backdoor has used LZMA compression and RC4 encryption before exfiltration.[5]
S0456 Aria-body

Aria-body has used ZIP to compress data gathered on a compromised host.[6]
G0001 Axiom

Axiom has compressed and encrypted data prior to exfiltration.[7]
S0093 Backdoor.Oldrea

Backdoor.Oldrea writes collected data to a temporary file in an encrypted form before exfiltration to a C2 server.[8]
S0521 BloodHound

BloodHound can compress data collected by its SharpHound ingestor into a ZIP file to be written to disk.[9][10]
S0657 BLUELIGHT

BLUELIGHT can zip files before exfiltration.[11]
S1039 Bumblebee

Bumblebee can compress data stolen from the Registry and volume shadow copies prior to exfiltration.[12]
S0454 Cadelspy

Cadelspy has the ability to compress stolen data into a .cab file.[13]
S0667 Chrommme

Chrommme can encrypt and store on disk collected data before exfiltration.[14]
S0187 Daserf

Daserf hides collected data in password-protected .rar archives.[15]
G0035 Dragonfly

Dragonfly has compressed data into .zip files prior to exfiltration.[16]
S0567 Dtrack

Dtrack packs collected data into a password protected archive.[17]
G1003 Ember Bear

Ember Bear has compressed collected data prior to exfiltration.[18]
S0363 Empire

Empire can ZIP directories on the target system.[19]
S0091 Epic

Epic encrypts collected data using a public key framework before sending it over the C2 channel.[20] Some variants encrypt the collected data with AES and encode it with base64 before transmitting it to the C2 server.[21]
S0343 Exaramel for Windows

Exaramel for Windows automatically encrypts files before sending them to the C2 server.[22]

S0267 FELIXROOT

FELIXROOT encrypts collected data with AES and Base64 and then sends it to the C2 server.[23]
G0037 FIN6

Following data collection, FIN6 has compressed log files into a ZIP archive prior to staging and exfiltration.[24]
S0249 Gold Dragon

Gold Dragon encrypts data using Base64 before being sent to the command and control server.[25]
G0004 Ke3chang

The Ke3chang group has been known to compress data before exfiltration.[26]
S0487 Kessel

Kessel can RC4-encrypt credentials before sending to the C2.[27]

S0356 KONNI

KONNI has encrypted data and files prior to exfiltration.[28]
G0032 Lazarus Group

Lazarus Group has compressed exfiltrated data with RAR and used RomeoDelta malware to archive specified directories in .zip format, encrypt the .zip file, and upload it to C2. [29][30][31]
G0065 Leviathan

Leviathan has archived victim's data prior to exfiltration.[32]
S0395 LightNeuron

LightNeuron contains a function to encrypt and store emails that it collects.[33]
S0681 Lizar

Lizar has encrypted data before sending it to the server.[34]
S1101 LoFiSe

LoFiSe can collect files into password-protected ZIP-archives for exfiltration.[35]
G1014 LuminousMoth

LuminousMoth has manually archived stolen files from victim machines before exfiltration.[36]
S0010 Lurid

Lurid can compress data before sending it.[37]
S0409 Machete

Machete stores zipped files with profile data from installed web browsers.[38]

G0045 menuPass

menuPass has encrypted files and information before exfiltration.[39][40]
S0198 NETWIRE

NETWIRE has the ability to compress archived screenshots.[41]
G0040 Patchwork

Patchwork encrypted the collected files' path with AES and then encoded them with base64.[42]
S0517 Pillowmint

Pillowmint has encrypted stolen credit card information with AES and further encoded it with Base64.[43]

S1012 PowerLess

PowerLess can encrypt browser database files prior to exfiltration.[44]
S0113 Prikormka

After collecting documents from removable media, Prikormka compresses the collected files, and encrypts it with Blowfish.[45]
S0279 Proton

Proton zips up files before exfiltrating them.[46]
S1148 Raccoon Stealer

Raccoon Stealer archives collected system information in a text f ile, System info.txt, prior to exfiltration.[47]
S0375 Remexi

Remexi encrypts and adds all gathered browser data into files for upload to C2.[48]
S0253 RunningRAT

RunningRAT contains code to compress files.[25]
S0445 ShimRatReporter

ShimRatReporter used LZ compression to compress initial reconnaissance reports before sending to the C2.[49]

S1140 Spica

Spica can archive collected documents for exfiltration.[50]
S0586 TAINTEDSCRIBE

TAINTEDSCRIBE has used FileReadZipSend to compress a file and send to C2.[51]
S0257 VERMIN

VERMIN encrypts the collected files using 3-DES.[52]
S0515 WellMail

WellMail can archive files on the compromised host.[53]
S0658 XCSSET

XCSSET will compress entire ~/Desktop folders excluding all .git folders, but only if the total data size is under 200MB.[54]
S0251 Zebrocy

Zebrocy has used a method similar to RC4 as well as AES for encryption and hexadecimal for encoding data before exfiltration. [55][56][57]

Mitigations

ID Mitigation Description
M1047 Audit

System scans can be performed to identify unauthorized archival utilities.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments for actions that will aid in compression or encrypting data that is collected prior to exfiltration, such as tar.

DS0022 File File Creation

Monitor newly constructed files being written with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.
DS0009 Process Process Creation

Monitor for newly constructed processes and/or command-lines that aid in compression or encrypting data that is collected prior to exfiltration, such as 7-Zip, WinRAR, and WinZip.

DS0012 Script Script Execution

Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

References

  1. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  2. Brumaghin, E., et al. (2018, October 15). Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox. Retrieved November 5, 2018.
  3. KISA. (2021). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 8, 2024.
  4. Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.
  5. Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019.
  6. CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020.
  7. Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.
  8. Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
  9. Robbins, A., Vazarkar, R., and Schroeder, W. (2016, April 17). Bloodhound: Six Degrees of Domain Admin. Retrieved March 5, 2019.
  10. Kenefick, I. et al. (2022, October 12). Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike. Retrieved February 6, 2023.
  11. Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021.
  12. Cybereason. (2022, August 17). Bumblebee Loader – The High Road to Enterprise Domain Control. Retrieved August 29, 2022.
  13. Symantec Security Response. (2015, December 7). Iran-based attackers use back door threats to spy on Middle Eastern targets. Retrieved April 17, 2019.
  14. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.
  15. DiMaggio, J. (2016, April 28). Tick cyberespionage group zeros in on Japan. Retrieved July 16, 2018.
  16. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  17. Konstantin Zykov. (2019, September 23). Hello! My name is Dtrack. Retrieved January 20, 2021.
  18. US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024.
  19. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  20. Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
  21. Kaspersky Lab's Global Research & Analysis Team. (2014, August 06). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroboros. Retrieved November 7, 2018.
  22. Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018.
  23. Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved July 31, 2018.
  24. FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016.
  25. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018.
  26. Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.
  27. Dumont, R., M.Léveillé, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020.
  28. Threat Intelligence Team. (2021, August 23). New variant of Konni malware used in campaign targetting Russia. Retrieved January 5, 2022.
  29. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016.
  1. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016.
  2. Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018.
  3. CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021.
  4. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.
  5. BI.ZONE Cyber Threats Research Team. (2021, May 13). From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker’s toolkit. Retrieved February 2, 2022.
  6. Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024.
  7. Botezatu, B and etl. (2021, July 21). LuminousMoth - PlugX, File Exfiltration and Persistence Revisited. Retrieved October 20, 2022.
  8. Villeneuve, N., Sancho, D. (2011). THE “LURID” DOWNLOADER. Retrieved November 12, 2014.
  9. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
  10. United States District Court Southern District of New York (USDC SDNY) . (2018, December 17). United States of America v. Zhu Hua and Zhang Shilong. Retrieved April 17, 2019.
  11. US District Court Southern District of New York. (2018, December 17). United States v. Zhu Hua Indictment. Retrieved December 17, 2020.
  12. Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021.
  13. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  14. Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7’s Monkey Thief . Retrieved July 27, 2020.
  15. Cybereason Nocturnus. (2022, February 1). PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage. Retrieved June 1, 2022.
  16. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
  17. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
  18. Pierre Le Bourhis, Quentin Bourgue, & Sekoia TDR. (2022, June 29). Raccoon Stealer v2 - Part 2: In-depth analysis. Retrieved August 1, 2024.
  19. Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019.
  20. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
  21. Shields, W. (2024, January 18). Russian threat group COLDRIVER expands its targeting of Western officials to include the use of malware. Retrieved June 13, 2024.
  22. USG. (2020, May 12). MAR-10288834-2.v1 – North Korean Trojan: TAINTEDSCRIBE. Retrieved March 5, 2021.
  23. Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018.
  24. CISA. (2020, July 16). MAR-10296782-3.v1 – WELLMAIL. Retrieved September 29, 2020.
  25. Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021.
  26. Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018.
  27. ESET. (2018, November 20). Sednit: What’s going on with Zebrocy?. Retrieved February 12, 2019.
  28. CISA. (2020, October 29). Malware Analysis Report (AR20-303B). Retrieved December 9, 2020.