| ID | Name |
|---|---|
| T1001.001 | Junk Data |
| T1001.002 | Steganography |
| T1001.003 | Protocol or Service Impersonation |
Adversaries may add junk data to protocols used for command and control to make detection more difficult.[1] By adding random or meaningless data to the protocols used for command and control, adversaries can prevent trivial methods for decoding, deciphering, or otherwise analyzing the traffic. Examples may include appending/prepending data with junk characters or writing junk characters between significant characters.
| ID | Name | Description |
|---|---|---|
| G0007 | APT28 |
APT28 added "junk data" to each encoded string, preventing trivial decoding without knowledge of the junk removal algorithm. Each implant was given a "junk length" value when created, tracked by the controller software to allow seamless communication but prevent analysis of the command protocol on the wire.[2] |
| S1246 | BeaverTail |
BeaverTail has added junk data or a dummy character prepended to a string to hamper decoding attempts.[3] |
| S0574 | BendyBear |
BendyBear has used byte randomization to obscure its behavior.[4] |
| S0134 | Downdelph |
Downdelph inserts pseudo-random characters between each original character during encoding of C2 network requests, making it difficult to write signatures on them.[5] |
| S0588 | GoldMax |
GoldMax has used decoy traffic to surround its malicious network traffic to avoid detection.[6] |
| S0632 | GrimAgent |
GrimAgent can pad C2 messages with random generated values.[7] |
| S1020 | Kevin |
Kevin can generate a sequence of dummy HTTP C2 requests to obscure traffic.[8] |
| S1047 | Mori | |
| S0016 | P2P ZeuS |
P2P ZeuS added junk data to outgoing UDP packets to peer implants.[10] |
| S0626 | P8RAT |
P8RAT can send randomly-generated data as part of its C2 communication.[11] |
| S0435 | PLEAD |
PLEAD samples were found to be highly obfuscated with junk code.[12][13] |
| S0559 | SUNBURST | |
| S0682 | TrailBlazer |
TrailBlazer has used random identifier strings to obscure its C2 operations and result codes.[14] |
| S0647 | Turian |
Turian can insert pseudo-random characters into its network encryption setup.[15] |
| S1164 | UPSTYLE |
UPSTYLE retrieves a non-existent webpage from the command and control server then parses commands from the resulting error logs to decode commands to the web shell.[16] |
| S0022 | Uroburos |
Uroburos can add extra characters in encoded strings to help mimic DNS legitimate requests.[17] |
| S0514 | WellMess |
WellMess can use junk data in the Base64 string for additional obfuscation.[18] |
| ID | Mitigation | Description |
|---|---|---|
| M1031 | Network Intrusion Prevention |
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate some obfuscation activity at the network level. |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0011 | Detecting Junk Data in C2 Channels via Behavioral Analysis | AN0030 |
Processes generating large outbound connections with disproportionate send/receive ratios, often to uncommon ports or hosts, potentially inserting meaningless data into protocol payloads. |
| AN0031 |
Outbound traffic with anomalous payload sizes and patterns from non-networking processes, often observed via packet inspection or connection logs. |
||
| AN0032 |
Previously unseen applications generating outbound connections with atypical data flow characteristics, such as excessive data with no return response. |
||
| AN0033 |
Anomalous traffic from ESXi host management daemons (like hostd or vpxa) embedding non-standard payloads in management protocols (e.g., HTTPS) or beaconing behavior. |