| ID | E1560 |
| Objective(s) | Collection |
| Related ATT&CK Techniques | Archive Collected Data (T1560) |
| Version | 4.1 |
| Created | 27 August 2019 |
| Last Modified | 27 April 2024 |
Malware may collect and package (or archive) the information they have gathered from a compromised system. Once collected, the data is often compressed and encrypted into an archive file using various tools or utilities. Common formats for archive files include .zip, .tar, .rar, or .7z. This helps the attack by reducing the size of the data, making it easier and quicker to exfiltrate, and helps avoid detection, since many security tools may not inspect the contents of compressed or encrypted files.
See ATT&CK Technique: Archive Collected Data (T1560).
| Name | ID | Description |
|---|---|---|
| Encoding | E1560.m01 | Data is encoded. |
| Encoding - Custom Algorithm | E1560.m04 | Data is encoded. A custom algorithm is used to encode the exfiltrated data. |
| Encoding - Standard Algorithm | E1560.m03 | Data is encoded. A standard algorithm, such as base64 encoding, is used to encode the exfiltrated data. |
| Encryption | E1560.m02 | Data is encrypted. |
| Encryption - Custom Algorithm | E1560.m06 | Data is encrypted. A custom algorithm is used to encrypt the exfiltrated data. |
| Encryption - Standard Algorithm | E1560.m05 | Data is encrypted. A standard algorithm, such as Rijndael/AES, DES, RC4, is used to encrypt the exfiltrated data. |
| Name | Date | Method | Description |
|---|---|---|---|
| TrickBot | 2016 | E1560.m02 | The malware uses a custom crypter leveraging Microsoft's CryptoAPI to encrypt C2 traffic. C2 update responses seem to have been digitally signed using bcrypt. [1] |
| Stuxnet | 2010 | E1560.m04 | Exfiltrated payloads are XORed with a static 31-byte long byte string found inside Stuxnet and hexified in order to be passed on as an ASCII data parameter in an HTTP request to the C2 servers. [2] |
| Matanbuchus | 2021 | E1560.m03 | Malware sends data as a Base64 string of JSON. [3] [4] |
| Tool: CAPE | Mapping | APIs |
|---|---|---|
| encrypt_data_agenttesla_http | Archive Collected Data (E1560) | CryptEncrypt |
| encrypt_data_agenttesla_http | Archive Collected Data::Encryption (E1560.m02) | CryptEncrypt |
| encrypt_data_agentteslat2_http | Archive Collected Data (E1560) | CryptEncrypt, GetUserNameW, GetComputerNameW |
| encrypt_data_agentteslat2_http | Archive Collected Data::Encryption (E1560.m02) | CryptEncrypt, GetUserNameW, GetComputerNameW |
| encrypt_data_nanocore | Archive Collected Data (E1560) | CryptEncrypt, GetUserNameW, GetComputerNameW |
| encrypt_data_nanocore | Archive Collected Data::Encryption (E1560.m02) | CryptEncrypt, GetUserNameW, GetComputerNameW |
[1] https://www.bitdefender.com/blog/labs/trickbot-is-dead-long-live-trickbot/
[2] https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en
[3] https://www.0ffset.net/reverse-engineering/matanbuchus-loader-analysis/
[4] https://www.cyberark.com/resources/threat-research-blog/inside-matanbuchus-a-quirky-loader