Description
Adversaries may add junk data to protocols used for command and control to make detection more difficult.(Citation: FireEye SUNBURST Backdoor December 2020) By adding random or meaningless data to the protocols used for command and control, adversaries can prevent trivial methods for decoding, deciphering, or otherwise analyzing the traffic. Examples may include appending/prepending data with junk characters or writing junk characters between significant characters.
Platforms
Mitigations (1)
Network Intrusion PreventionM1031
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate some obfuscation activity at the network level.
Threat Groups (1)
| ID | Group | Context |
|---|---|---|
| G0007 | APT28 | [APT28](https://attack.mitre.org/groups/G0007) added "junk data" to each encoded string, preventing trivial decoding without knowledge of the junk rem... |
Associated Software (17)
| ID | Name | Type | Context |
|---|---|---|---|
| S0016 | P2P ZeuS | Malware | [P2P ZeuS](https://attack.mitre.org/software/S0016) added junk data to outgoing UDP packets to peer implants.(Citation: Dell P2P ZeuS) |
| S0134 | Downdelph | Malware | [Downdelph](https://attack.mitre.org/software/S0134) inserts pseudo-random characters between each original character during encoding of C2 network re... |
| S1047 | Mori | Malware | [Mori](https://attack.mitre.org/software/S1047) has obfuscated the FML.dll with 200MB of junk data.(Citation: DHS CISA AA22-055A MuddyWater February 2... |
| S9020 | LODEINFO | Malware | [LODEINFO](https://attack.mitre.org/software/S9020) can append C2 communication with randomly generated junk data.(Citation: Kaspersky LODEINFO Part I... |
| S0574 | BendyBear | Malware | [BendyBear](https://attack.mitre.org/software/S0574) has used byte randomization to obscure its behavior.(Citation: Unit42 BendyBear Feb 2021) |
| S0682 | TrailBlazer | Malware | [TrailBlazer](https://attack.mitre.org/software/S0682) has used random identifier strings to obscure its C2 operations and result codes.(Citation: Cro... |
| S0022 | Uroburos | Malware | [Uroburos](https://attack.mitre.org/software/S0022) can add extra characters in encoded strings to help mimic DNS legitimate requests.(Citation: Joint... |
| S0626 | P8RAT | Malware | [P8RAT](https://attack.mitre.org/software/S0626) can send randomly-generated data as part of its C2 communication.(Citation: Securelist APT10 March 20... |
| S0435 | PLEAD | Malware | [PLEAD](https://attack.mitre.org/software/S0435) samples were found to be highly obfuscated with junk code.(Citation: ESET PLEAD Malware July 2018)(Ci... |
| S1164 | UPSTYLE | Malware | [UPSTYLE](https://attack.mitre.org/software/S1164) retrieves a non-existent webpage from the command and control server then parses commands from the ... |
| S1020 | Kevin | Malware | [Kevin](https://attack.mitre.org/software/S1020) can generate a sequence of dummy HTTP C2 requests to obscure traffic.(Citation: Kaspersky Lyceum Octo... |
| S0588 | GoldMax | Malware | [GoldMax](https://attack.mitre.org/software/S0588) has used decoy traffic to surround its malicious network traffic to avoid detection.(Citation: MSTI... |
| S1246 | BeaverTail | Malware | [BeaverTail](https://attack.mitre.org/software/S1246) has added junk data or a dummy character prepended to a string to hamper decoding attempts.(Cita... |
| S0559 | SUNBURST | Malware | [SUNBURST](https://attack.mitre.org/software/S0559) added junk bytes to its C2 over HTTP.(Citation: FireEye SUNBURST Backdoor December 2020) |
| S0647 | Turian | Malware | [Turian](https://attack.mitre.org/software/S0647) can insert pseudo-random characters into its network encryption setup.(Citation: ESET BackdoorDiplom... |
| S0632 | GrimAgent | Malware | [GrimAgent](https://attack.mitre.org/software/S0632) can pad C2 messages with random generated values.(Citation: Group IB GrimAgent July 2021) |
| S0514 | WellMess | Malware | [WellMess](https://attack.mitre.org/software/S0514) can use junk data in the Base64 string for additional obfuscation.(Citation: CISA WellMess July 20... |
References
- FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
- Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
Frequently Asked Questions
What is T1001.001 (Junk Data)?
T1001.001 is a MITRE ATT&CK technique named 'Junk Data'. It belongs to the Command and Control tactic(s). Adversaries may add junk data to protocols used for command and control to make detection more difficult.(Citation: FireEye SUNBURST Backdoor December 2020) By adding random or meaningless data to the...
How can T1001.001 be detected?
Detection of T1001.001 (Junk Data) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1001.001?
There are 1 documented mitigations for T1001.001. Key mitigations include: Network Intrusion Prevention.
Which threat groups use T1001.001?
Known threat groups using T1001.001 include: APT28.