| ID | E1560 |
| Objective(s) | Exfiltration |
| Related ATT&CK Techniques | Archive Collected Data (T1560) |
| Version | 3.0 |
| Created | 27 August 2019 |
| Last Modified | 1 March 2023 |
Malware may obfuscate data via encryption or encoding before exfiltration.
See ATT&CK Technique: Archive Collected Data (T1560).
| Name | ID | Description |
|---|---|---|
| Encoding | E1560.m01 | Data is encoded. |
| Encoding - Custom Encoding | E1560.m04 | Data is encoded. A custom algorithm is used to encode the exfiltrated data. |
| Encoding - Standard Encoding | E1560.m03 | Data is encoded. A standard algorithm, such as base64 encoding, is used to encode the exfiltrated data. |
| Encryption | E1560.m02 | Data is encrypted. |
| Encryption - Custom Encryption | E1560.m06 | Data is encrypted. A custom algorithm is used to encrypt the exfiltrated data. |
| Encryption - Standard Encryption | E1560.m05 | Data is encrypted. A standard algorithm, such as Rijndael/AES, DES, RC4, is used to encrypt the exfiltrated data. |
| Name | Date | Method | Description |
|---|---|---|---|
| TrickBot | 2016 | E1560.m02 | The malware uses a custom crypter leveraging Microsoft's CryptoAPI to encrypt C2 traffic. C2 update responses seem to have been digitally signed using bcrypt. [1] |
| Stuxnet | 2010 | E1560.m04 | Exfiltrated payloads are XORed with a static 31-byte long byte string found inside Stuxnet and hexified in order to be passed on as an ASCII data parameter in an HTTP request to the C2 servers. [2] |
| Matanbuchus | 2021 | E1560.m03 | Malware sends data as a Base64 string of JSON. [3] [4] |
[1] https://www.bitdefender.com/blog/labs/trickbot-is-dead-long-live-trickbot/
[2] https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en
[3] https://www.0ffset.net/reverse-engineering/matanbuchus-loader-analysis/
[4] https://www.cyberark.com/resources/threat-research-blog/inside-matanbuchus-a-quirky-loader