Lurid can compress data before sending it. Lizar has encrypted data before sending it to the server. LightNeuron contains a function to encrypt and store emails that it collects. Leviathan has archived victim's data prior to exfiltration. Lazarus Group has compressed exfiltrated data with RAR and used RomeoDelta malware to archive specified directories in. KONNI has encrypted data and files prior to exfiltration. Kessel can RC4-encrypt credentials before sending to the C2. The Ke3chang group has been known to compress data before exfiltration. Honeybee adds collected files to a temp.zip file saved in the %temp% folder, then base64 encodes it and uploads it to control server. Gold Dragon encrypts data using Base64 before being sent to the command and control server. įollowing data collection, FIN6 has compressed log files into a ZIP archive prior to staging and exfiltration. įELIXROOT encrypts collected data with AES and Base64 and then sends it to the C2 server. Įxaramel for Windows automatically encrypts files before sending them to the C2 server. Some variants encrypt the collected data with AES and encode it with base64 before transmitting it to the C2 server. Įpic encrypts collected data using a public key framework before sending it over the C2 channel. Įmpire can ZIP directories on the target system. ![]() Įmotet has been observed encrypting the data it collects before sending it to the C2 server. ĭtrack packs collected data into a password protected archive. ĭaserf hides collected data in password-protected. Ĭhrommme can encrypt and store on disk collected data before exfiltration. Ĭadelspy has the ability to compress stolen data into a. īLUELIGHT can zip files before exfiltration. īloodHound can compress data collected by its SharpHound ingestor into a ZIP file to be written to disk. īackdoor.Oldrea writes collected data to a temporary file in an encrypted form before exfiltration to a C2 server. Īxiom has compressed and encrypted data prior to exfiltration. Īria-body has used ZIP to compress data gathered on a compromised host. ĪPT32's backdoor has used LZMA compression and RC4 encryption before exfiltration. ĪPT28 used a publicly available tool to gather and compress multiple documents on the DCCC and DNC networks. ĪppleSeed has compressed collected data before exfiltration. ![]() Īgent Tesla can encrypt data with 3DES before sending it over to a C2 server. ADVSTORESHELL encrypts with the 3DES algorithm and a hardcoded key prior to exfiltration.
0 Comments
Leave a Reply. |