Written By: Austin Miller
MITRE ATT&CK – T1027: Obfuscated Files or Information
Obfuscation, a word you will only ever find in cybersercurity documents. Obfuscated (or obscuring) malware allows various types of information to be covertly transmitted to systems, creating a Trojan horse to the adversary’s Troy-invading malicious files. As you would expect, a Trojan horse virus is a clear example of obfuscation but understanding other forms of trickery is key to effective cybersecurity work.
Hiding malicious files, code, commands, configurations, and other information was a key part of 13% of all malware samples analyzed by Picus and is a common tactic for defense evasion. Changing the form and size of data, hiding known malicious elements, and obscuring or removing indicators are all tools in the adversary’s kit, so understanding the various tactics they use is key to improving your security posture.
What are obfuscated files and information?
From a technical perspective, obfuscation of files and information refers to any actions which attempt to hide the malicious nature of a file. Purposefully vague, this attack type covers everything from hiding a malicious URL in an HTML download attribute to steganography.
Exploring the procedures
Obfuscation is a wide and varied practice, meaning that exploring an exhaustive list of procedures is difficult. Just as soon as you think you have every popular method covered, the adversary thinks up a new way to sneak something under your nose.
As far as the MITRE ATT&CK framework goes, there are six main ways in which the adversary approaches obfuscated files or information. Here is a breakdown of what you should be on the lookout for.
T1027.001 – Binary Padding
“Padding” a piece of malware to change its on-disk representation is an easy way to evade scanners that search for specific file sizes, trick has-based static controls, and frustrate security researchers. The wiper viruses coming out of Russia lately are classic examples of this technique – by filling the code with junk, it makes finding the actual malicious code a time-intensive process.
Many antivirus/antimalware services do not scan files over a certain size. Although this varies across different software, a malicious file over 650 MB in size would be passed over by VirusTotal. If the adversary knows what kind of antivirus/antimalware software an organization uses, evading detection becomes a matter of stuffing the file with junk data.
T1027.002 – Software Packing
As almost the opposite to binary padding, software packing requires compression and encryption to reduce the size of a piece of malware. This is primarily to avoid signature-based detection and evade primary defenses, but it also serves to frustrate security researchers that are attempting to reverse-engineer the malware.
T1027.003 – Steganography
Hiding files inside other files allows even cybersecurity aware individuals to be caught out sometimes. Formally named steganography, this methodology is usually paired with cryptography to create encrypted, obfuscated files that easily slip into a cover file. Embedding malware this way in compromised sources, e.g. a website, would not generally raise suspicions, leading victims to easily be fooled.
T1027.004 – Compile After Delivery
Antivirus/antimalware scanners tend to search for executables or binaries, but many don’t have the capabilities to deal with uncompiled code. By using Living off the Land (LotL) techniques such as accessing csc.exe or GCC/MinGW to compile code before execution, the adversary builds their weapons inside the castle walls and evades many conventional defenses.
MuddyWater is a prime example of this type. By using the csc.exe utility from the .NET framework, it compiles the actual malware from the C# code that is transmitted to the system.
T1027.005 – Indicator Removal from Tools
Many threat actors now are reactive and ready to change their malware when it becomes apparent that it has been analyzed and countered. The rising sophistication of the adversary has meant that attacks such as Qakbot and Patchwork have been relaunched after a successful defense.
In the case of Qakbot, a banking Trojan, the adversary uses a unique SHA256 hash of every payload downloaded from the command-and-control (C2) servers, avoiding scanners that rely on file recognition. The Patchwork hacking group used a random four-byte string after the PE- referenced data to change the hash files. When the adversary uses these methods, conventional scanners fail.
T1027.006 – HTML Smuggling
Hiding a malicous payload inside an HTML file is possible due to JavaScript Blobs or HTML5 download attributes. Content filters are avoided and the adversary can sneak a seemingly innocuous HTML file past the primary defenses.
With HTML5, for example, the anchor <a> tag is a download attribute. The adversary could craft an file like this:
<a href=’/files/maliciousfile.doc’ download=myfile.doc’>Click</a>
By clicking this seemingly innocent link, the malware is now installed on the system.
How can I defend my organization?
Because of the wide range of attack procedures that the adversary uses, defensive action against obfuscation is difficult. However, you can find more reading about on the MITRE ATT&CK framework by using the following links:
