Procedures
Exfiltration Over C2 Channel
The Lazarus Group, attributed to North Korea, is notorious for its use of existing command and control (C2) channels for exfiltrating data. They employ sophisticated methods, leveraging compromised legitimate websites as C2 servers and exfiltrating data through protocols such as HTTP and HTTPS. One illustrative example involves the Lazarus Group's use of Tor networks for secure data transfer. They host malicious endpoints on legitimate web servers, establish a C2 channel through these servers, and encode the stolen data within the normal communications protocol used for C2 traffic.
APT10, often linked to China, exemplifies strategic data exfiltration via C2 channels. Known for targeting Managed Service Providers (MSPs), APT10 infiltrates network environments shared between MSPs and their clients. They typically identify and stage sensitive data quietly, often compressing it into multipart archives and storing it in overlooked areas such as the Recycle Bin. Data exfiltration is often executed through legitimate tools, such as Robocopy and the Putty Secure Copy Client (PSCP), which they sometimes rename to blend in with legitimate network activities. APT10 frequently pushes data from the victim network to intermediary networks before pulling it to C2 servers, aiding in masking the origin of their data exfiltration efforts.
Shuckworm, also known as Gamaredon or Armageddon, is a Russian-linked cyber espionage group active since at least 2013. Primarily targeting entities in Ukraine, Shuckworm employs various sophisticated techniques to carry out its operations, including the use of existing command and control (C2) channels for data exfiltration. One notable method includes the use of HTTP POST requests to their C2 servers to download additional payloads and facilitate data exfiltration. This straightforward web-based C2 communication allows them to blend malicious traffic with legitimate HTTP traffic, reducing the likelihood of detection.
Earth Lusca, an advanced persistent threat group, leverages both widely-known tools and custom malware to infiltrate, persist, and exfiltrate data. One prominent tactic they use is uploading collected data to cloud services like Mega. By leveraging tools such as megacmd, they can automate the process of transferring exfiltrated data securely through established C2 channels. This method not only maximizes the cover and persistence of their operations but also integrates seamlessly with legitimate cloud activities, making the malicious actions less conspicuous to security monitoring tools.
Exfiltration Over Unencrypted Non-C2 Protocol
Hworm, also known as Houdini, is a versatile remote access trojan (RAT) used by attackers to exfiltrate data over unencrypted protocols. This malware, often delivered through politically charged or sensational files, uses a mixed binary and ASCII protocol over TCP for command and control (C2) communications. However, the actual exfiltration of data is conducted over the unencrypted portions of these mixed protocols to evade detection. The attackers leverage the open nature of these protocols to blend their malicious activities with regular traffic. By doing so, they avoid drawing attention to their exfiltration activities, making it difficult for traditional security measures to effectively monitor and block the data leakage.
The Red October cyber espionage campaign demonstrates another example of using unencrypted non-C2 protocols for data exfiltration. Targeting diplomatic, governmental, and scientific research organizations, the attackers in this campaign employ various unencrypted protocols, such as SMB for file transfers and FTP for data exfiltration. The use of anonymous FTP servers allows them to upload and extract sensitive information without detection.
Mustang Panda, also known as RedDelta, is a China-based APT group known for using unencrypted non-C2 protocols like HTTP and FTP to exfiltrate data. The group often stages collected data in temporary directories before exfiltrating it to remote servers. By leveraging legitimate but unencrypted channels for data transfer, such as common file hosting services, they manage to blend malicious traffic with legitimate network activities, thus evading detection.
The MoustachedBouncer espionage group targets foreign diplomats in Belarus and uses unencrypted HTTP traffic for their exfiltration activities. They exploit HTTP by redirecting legitimate traffic such as Windows Update checks to malicious servers. This allows them to serve malware and intercept data covertly. The lack of encryption in HTTP combined with users' implicit trust in seemingly routine updates makes this a potent method for undetected data exfiltration.
Exfiltration Over Web Service: Exfiltration to Cloud Storage
Earth Wendigo employs a WebSocket backdoor for exfiltrating mailbox data via cloud services. Their malware establishes a WebSocket connection between the victim's browser and a WebSocket server controlled by the attackers. This backdoor reads emails and attachments from the webmail server and sends them to the attacker’s server. By using cloud services for this data transfer, Earth Wendigo can exfiltrate large volumes of sensitive information while evading detection. The exfiltration process is stealthy and efficient, leveraging legitimate web services to hide their activities.
ScarCruft is a Korean-speaking, allegedly state-sponsored threat actor active since at least 2016. This group frequently targets organizations with connections to the Korean peninsula, employing sophisticated methods for data exfiltration. ScarCruft's advanced tools include a backdoor known as ROKRAT, which leverages cloud services such as Box, Dropbox, Pcloud, and Yandex for data exfiltration and command and control (C2) operations. This backdoor can create multiple threads to manage various tasks, including stealing information and uploading it to cloud storage. By operating through legitimate cloud services, ROKRAT enables ScarCruft to blend their malicious activities with normal network traffic, thus evading detection.
Geumseong121, a North Korean state-sponsored group, conducted an advanced persistent threat (APT) campaign known as "Operation Spy Cloud" starting in early March 2020. One of the key techniques employed by Geumseong121 was the use of legitimate cloud services like Google Drive and pCloud for both C2 operations and data exfiltration. Malicious documents used in the campaign contained obfuscated VBA macros that established communication with C2 servers and executed payloads designed to steal information intended for storage on these cloud services.
Polonium, a Lebanon-based activity group primarily targeting Israeli organizations, is known for its abuse of legitimate cloud services for both C2 operations and data exfiltration. Polonium used custom-developed implants like CreepyDrive and CreepyBox which interacted with legitimate OneDrive accounts to effectively mask their activities. These implants allowed the group to upload stolen data to OneDrive accounts discreetly, making their data extraction operations difficult to distinguish from regular user activity. The integration of OAuth tokens within these implants ensured continuous and uninterrupted access to the cloud service, thus maintaining a secure and hidden channel for data exfiltration.
Scheduled Transfer
Antlion APT is a Chinese state-backed group targeting financial institutions in Taiwan. They use a variety of custom and off-the-shelf tools, including the xPack backdoor and the BitsTransfer module in PowerShell, for data exfiltration. The exfiltration process involves using PowerShell scripts to upload data to attacker-controlled infrastructure at scheduled intervals. Scheduled tasks are used to automate these processes, ensuring data is periodically sent without raising immediate suspicion.
Operation GhostShell is conducted by the Iranian threat actor group MalKamak, targeting the aerospace and telecommunications sectors. They use the ShellClient RAT, which communicates with Dropbox for command and control. The RAT checks Dropbox every few seconds for new commands and uses scheduled tasks to compress and upload data to Dropbox. This method allows for the regular, automated exfiltration of collected data, blending malicious activities with normal network traffic. The strategic use of scheduled tasks for exfiltration ensures continuous data theft while maintaining a low profile.
ModPipe is a sophisticated modular malware targeting the hospitality sector, particularly the ORACLE MICROS RES 3700 POS system. It uses scheduled transfers to exfiltrate data, with the main module set to upload data every 30 minutes. This regular interval ensures that collected data is systematically transmitted to the command and control servers without requiring continuous manual oversight. The data is encrypted and sent over HTTP, further blending with legitimate traffic. By automating the exfiltration process through scheduled tasks, ModPipe can efficiently and covertly siphon off sensitive information.
TG-3390, also known as APT27 or Emissary Panda, is known for its methodical approach to data exfiltration. After gaining access to a network and identifying valuable data, they typically use tools like WinRAR to compress and encrypt this data before exfiltration. TG-3390 frequently employs scheduled tasks to automate the exfiltration process, using tools like
schtasks.exeon Windows systems. These tasks execute at specific times to blend the exfiltration traffic with normal network activity, making it harder for defenders to detect. They often transfer the data via HTTP GET requests or through tools like PlugX, ensuring a consistent outflow of information without drawing immediate attention.
Data Transfer Size Limits
Antlion is a Chinese state-backed group targeting financial institutions in Taiwan. They use the xPack backdoor and PowerShell scripts to exfiltrate data by using the BitsTransfer module. By setting a transfer size limit on the data to be exfiltrated, they ensure that each chunk of data is small enough to evade detection by standard monitoring tools. The PowerShell scripts compress and encrypt the data before initiating the transfer, further concealing their activities. Scheduled tasks automate the execution of these scripts, ensuring regular intervals of data transfer. This methodical approach allows Antlion to systematically exfiltrate large amounts of data without raising immediate alarms.
OilRig (APT34), an Iranian cyber espionage group, targets organizations in the Middle East. They use a variety of techniques for data exfiltration, including limiting the size of transferred data. By doing so, they avoid triggering detection mechanisms that monitor for large data transfers. The malware used compresses and encrypts data before sending it out in small, inconspicuous packets. These packets are transmitted over HTTP or HTTPS, blending with regular network traffic. Scheduled tasks ensure that these exfiltration activities occur at regular intervals, maintaining a steady flow of data to the attackers.
Turla, a sophisticated Russian cyber espionage group, employs segmented data exfiltration to avoid detection. Their malware breaks down data into smaller chunks, which are then encrypted and sent to C2 servers using standard web protocols. This method ensures that the data transfer remains within normal traffic patterns, making it difficult for monitoring tools to detect the exfiltration. Scheduled tasks automate the process, ensuring that data is regularly sent out in small, manageable sizes.
The Lazarus Group, widely suspected to be connected to North Korea, is known for its sophisticated cyber espionage operations. In several instances, this group has demonstrated the capability to not only breach targets but also exfiltrate data in a methodical and stealthy manner. They utilize custom tunneling tools that encrypt traffic, covert channels, and employ techniques such as base64 encoding of the exfiltrated data. This ensures the chunks of data being transferred do not arouse suspicion.
Exfiltration Over Physical Medium: Exfiltration over USB
APT28 (Fancy Bear), a Russian cyber espionage group, has been known to use USB drives for data exfiltration. They often rely on physical access to the target systems to deploy their malware via USB drives. The malware is designed to automatically execute when the USB drive is inserted into a computer, leveraging Windows' autorun features. Once executed, it collects sensitive data from the infected system and stores it on the USB drive. This data is then physically transported back to the attackers. The use of USB drives helps bypass network security measures, making it difficult to detect the exfiltration process. This technique highlights APT28's capability to conduct operations even in highly secured and air-gapped environments .
Tropic Trooper, active since 2011, targets government, military, healthcare, transportation, and high-tech industries, particularly in Taiwan, the Philippines, and Hong Kong. They use a malware known as USBferry to exfiltrate data from air-gapped systems. USBferry is spread via USB drives, which are used to transfer the malware to isolated networks. Once the malware is executed, it collects data and stores it back on the USB drive. The USB drive is then used to physically transport the data out of the secured environment. This method allows Tropic Trooper to steal sensitive information without relying on network connectivity, making detection extremely challenging.
Equation Group, often linked to the NSA, has used sophisticated USB-based malware to exfiltrate data from air-gapped systems. Their malware, known as Fanny, was spread via USB drives and designed to bridge air-gapped networks. Fanny collects data from infected machines and stores it on the USB drive, which is later retrieved by the attackers. This method ensures that the malware can operate in highly secure environments where network-based exfiltration is not feasible. Equation Group's use of USB drives showcases their advanced capabilities in targeting and compromising isolated systems.
Dark Hotel, an APT group known for targeting high-profile business executives, has also employed USB drives for data exfiltration. They use spear-phishing emails to initially compromise their targets and then deploy malware via USB drives to collect data from air-gapped systems. The collected data is stored on the USB drive, which the attackers later retrieve. This physical method of data exfiltration helps them avoid detection by network security tools and ensures they can access sensitive information from highly secure environments.
Exfiltration Over Alternative Protocol
Lazarus Group, which is linked to North Korea, has used a variety of network protocols for data exfiltration, often leveraging protocols like HTTP and HTTPS to send data to compromised legitimate websites. They incorporate encryption and obfuscation to disguise these activities, making them blend in with regular traffic and thus avoiding detection by network security appliances. One notable method involves using the Tor network to download the exfiltrated data from the compromised web servers, adding an extra layer of anonymity and evasion.
APT3, a Chinese cyber-espionage group, is known for its capability to exfiltrate data using alternative protocols that blend with typical network traffic. They often use FTP (File Transfer Protocol) for data exfiltration. APT3 is skilled at using commonly approved network ports and protocols, which are typically permitted and not scrutinized closely by network defenses. By employing SSL encryption and commonly used protocols, such as HTTPS over non-standard ports, APT3 can mask their data transfer activities within legitimate business communication channels.
APT29, attributed to Russia’s Foreign Intelligence Service (SVR), exploits alternative protocols such as DNS, HTTP/S, and SMTP for data exfiltration. For example, they send data exfiltration commands to malware using DNS queries and responses, a technique that allows data to be transferred in small, seemingly innocuous pieces through normal DNS traffic. This method is particularly stealthy as DNS is a protocol that is often necessary for network operations, thereby often overlooked by security monitoring solutions.
Mustang Panda: Mustang Panda, a Chinese-based cyber espionage group, also uses alternative protocols for data exfiltration. They deploy tools like PlugX and Cobalt Strike that leverage HTTP and HTTPS for command and control communications and data exfiltration. These tools allow Mustang Panda to infiltrate systems and exfiltrate data using web protocols, which are commonly allowed through firewalls and other network security measures due to their necessity for regular business operations. This technique is particularly effective in making the exfiltration traffic appear as normal user activity.
Exfiltration Over Web Service
LuminousMoth has been observed using both Dropbox and Google Drive for exfiltrating data and delivering malicious payloads. This group, initially targeting government entities in Asia, used Dropbox links in their spear-phishing campaigns to lure victims into downloading malware. Once the victim's system was compromised, the malware would exfiltrate sensitive data to Google Drive. In addition to data exfiltration, LuminousMoth hosted malicious payloads on Dropbox, disguising their operations as legitimate file-sharing activities to evade detection.
Turla, a cyber-espionage group often linked to Russian intelligence, developed a tool named Crutch for exfiltrating data. Crutch is specifically designed to use Dropbox for command and control as well as data exfiltration. The tool automatically monitors removable drives for interesting files and uploads them to Dropbox. This strategic use of a well-known cloud storage service helps Turla blend malicious activities with legitimate network traffic, thereby reducing the likelihood of detection. Additionally, Crutch utilizes GitHub as a fallback communication channel, revealing the group's sophistication in ensuring persistent and stealthy data exfiltration .
APT32, also known as OceanLotus, is a sophisticated APT group known to use services like Dropbox and Google Drive to distribute malware and exfiltrate data. This Vietnamese group has been seen hosting malicious payloads on Dropbox, using these links in their spear-phishing emails to compromise targets. Moreover, once inside the target network, APT32 can use these services for command and control by hiding their communications amidst regular traffic. APT32 has also leveraged other cloud services like Amazon S3 for similar purposes, demonstrating their versatility and adaptability in using multiple cloud platforms to support their malicious operations.
APT29, also known as Cozy Bear, employed a sophisticated malware named Hammertoss that uses Twitter, GitHub, and cloud storage services for command and control (C2) and data exfiltration. Hammertoss generates a daily Twitter handle and posts URLs that lead to GitHub, from where it downloads images containing hidden encrypted data through steganography. This includes commands and can direct the malware to upload exfiltrated data to cloud storage services such as cloud storage providers. This method ensures their communication blends with legitimate traffic, making detection challenging.
Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
Turla, also known as APT28, is a sophisticated cyberespionage group known for targeting government, military, and diplomatic organizations. They have employed a malware named LightNeuron to compromise Microsoft Exchange mail servers. This malware exfiltrates data by using email-based command and control (C2) with commands hidden in email attachments via steganography. The attachments (PDFs or JPGs) contain encrypted data using AES, ensuring that both commands and exfiltrated data are securely hidden within the email traffic, making it difficult to detect the malicious activity.
APT34, also known as OilRig, is an Iranian cyber-espionage group primarily targeting entities in the Middle East. They have used a technique involving the use of job opportunity documents and DNS tunneling. The malware communicates with the C2 server using HTTP POST requests, where commands are hidden in the HTML code of a fake Flickr page. Communications are encrypted using a custom algorithm based on the Mersenne Twister pseudorandom number generator and encoded with Base64 before transmission, ensuring secure data exfiltration without using traditional C2 protocols.
Lazarus Group, associated with North Korea, has used sophisticated malware such as the ELMER backdoor, which exfiltrates data using encrypted HTTP GET and POST requests. The exfiltrated data includes file and directory information and process details, all encrypted using a custom algorithm. This method ensures that the data remains secure and avoids detection by embedding within regular web traffic, leveraging asymmetric encryption for added security.
APT29 (Cozy Bear) APT29, also known as Cozy Bear, is suspected to be linked to Russian intelligence. This group has used sophisticated techniques like credential hopping and cookie theft to bypass multi-factor authentication (MFA). Data exfiltration is carried out using custom-built tools that encrypt and compress data before uploading it to cloud storage services, ensuring secure and stealthy exfiltration through non-traditional channels, avoiding direct C2 paths.
Last updated