Description
Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done without affecting the functionality or behavior of a binary, but can increase the size of the binary beyond what some security tools are capable of handling due to file size limitations.
Binary padding effectively changes the checksum of the file and can also be used to avoid hash-based blocklists and static anti-virus signatures.(Citation: ESET OceanLotus) The padding used is commonly generated by a function to create junk data and then appended to the end or applied to sections of malware.(Citation: Securelist Malware Tricks April 2017) Increasing the file size may decrease the effectiveness of certain tools and detection capabilities that are not designed or configured to scan large files. This may also reduce the likelihood of being collected for analysis. Public file scanning services, such as VirusTotal, limits the maximum size of an uploaded file to be analyzed.(Citation: VirusTotal FAQ)
Platforms
Threat Groups (8)
| ID | Group | Context |
|---|---|---|
| G0065 | Leviathan | [Leviathan](https://attack.mitre.org/groups/G0065) has inserted garbage characters into code, presumably to avoid anti-virus detection.(Citation: Proo... |
| G0016 | APT29 | [APT29](https://attack.mitre.org/groups/G0016) used large size files to avoid detection by security solutions with hardcoded size limits.(Citation: Se... |
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has performed padding of PowerShell command line code with over 100 spaces.(Citation: Securonix Kimsu... |
| G0002 | Moafee | [Moafee](https://attack.mitre.org/groups/G0002) has been known to employ binary padding.(Citation: Haq 2014) |
| G0126 | Higaisa | [Higaisa](https://attack.mitre.org/groups/G0126) performed padding with null bytes before calculating its hash.(Citation: Zscaler Higaisa 2020) |
| G0040 | Patchwork | [Patchwork](https://attack.mitre.org/groups/G0040) apparently altered [NDiskMonitor](https://attack.mitre.org/software/S0272) samples by adding four b... |
| G0060 | BRONZE BUTLER | [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) downloader code has included "0" characters at the end of the file to inflate the file size in ... |
| G1024 | Akira | [Akira](https://attack.mitre.org/groups/G1024) has used binary padding to obfuscate payloads.(Citation: Cisco Akira Ransomware OCT 2024) |
Associated Software (22)
| ID | Name | Type | Context |
|---|---|---|---|
| S0586 | TAINTEDSCRIBE | Malware | [TAINTEDSCRIBE](https://attack.mitre.org/software/S0586) can execute <code>FileRecvWriteRand</code> to append random bytes to the end of a file receiv... |
| S0367 | Emotet | Malware | [Emotet](https://attack.mitre.org/software/S0367) inflates malicious files and malware as an evasion technique.(Citation: emotet_trendmicro_mar2023) |
| S0528 | Javali | Malware | [Javali](https://attack.mitre.org/software/S0528) can use large obfuscated libraries to hinder detection and analysis.(Citation: Securelist Brazilian ... |
| S0650 | QakBot | Malware | [QakBot](https://attack.mitre.org/software/S0650) can use large file sizes to evade detection.(Citation: Trend Micro Qakbot May 2020)(Citation: Group ... |
| S0433 | Rifdoor | Malware | [Rifdoor](https://attack.mitre.org/software/S0433) has added four additional bytes of data upon launching, then saved the changed version as <code>C:\... |
| S1149 | CHIMNEYSWEEP | Malware | The [CHIMNEYSWEEP](https://attack.mitre.org/software/S1149) installer has been padded with null bytes to inflate its size.(Citation: Mandiant ROADSWEE... |
| S0531 | Grandoreiro | Malware | [Grandoreiro](https://attack.mitre.org/software/S0531) has added BMP images to the resources section of its Portable Executable (PE) file increasing e... |
| S9016 | Caminho | Malware | [Caminho](https://attack.mitre.org/software/S9016) can use junk code for obfuscation.(Citation: Zscaler BlindEagle DEC 2025) |
| S0614 | CostaBricks | Malware | [CostaBricks](https://attack.mitre.org/software/S0614) has added the entire unobfuscated code of the legitimate open source application Blink to its c... |
| S1185 | LightSpy | Malware | [LightSpy](https://attack.mitre.org/software/S1185)'s configuration file is appended to the end of the binary. For example, the last `0x1d0` bytes of ... |
| S0268 | Bisonal | Malware | [Bisonal](https://attack.mitre.org/software/S0268) has appended random binary data to the end of itself to generate a large binary.(Citation: Talos Bi... |
| S0236 | Kwampirs | Malware | Before writing to disk, [Kwampirs](https://attack.mitre.org/software/S0236) inserts a randomly generated string into the middle of the decrypted paylo... |
| S1160 | Latrodectus | Malware | [Latrodectus](https://attack.mitre.org/software/S1160) has been obfuscated with a 129 byte sequence of junk data prepended to the file.(Citation: Elas... |
| S0013 | PlugX | Malware | [PlugX](https://attack.mitre.org/software/S0013) has utilized junk code and opaque predicates in payloads to hinder analysis.(Citation: Eset PlugX Kor... |
| S1239 | TONESHELL | Malware | [TONESHELL](https://attack.mitre.org/software/S1239) has used randomized padding to obfuscate payloads.(Citation: Zscaler)(Citation: Unit42 Chinese VS... |
| S1070 | Black Basta | Malware | [Black Basta](https://attack.mitre.org/software/S1070) had added data prior to the Portable Executable (PE) header to prevent automatic scanners from ... |
| S0082 | Emissary | Malware | A variant of [Emissary](https://attack.mitre.org/software/S0082) appends junk data to the end of its DLL file to create a large file that may exceed t... |
| S9018 | HeartCrypt | Malware | [HeartCrypt](https://attack.mitre.org/software/S9018) can add several hundred thousand kilobytes of null padding to payloads before saving onto the fi... |
| S0244 | Comnie | Malware | [Comnie](https://attack.mitre.org/software/S0244) appends a total of 64MB of garbage data to a file to deter any security products in place that may b... |
| S0632 | GrimAgent | Malware | [GrimAgent](https://attack.mitre.org/software/S0632) has the ability to add bytes to change the file hash.(Citation: Group IB GrimAgent July 2021) |
References
- Foltýn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018.
- Ishimaru, S.. (2017, April 13). Old Malware Tricks To Bypass Detection in the Age of Big Data. Retrieved May 30, 2019.
- VirusTotal. (n.d.). VirusTotal FAQ. Retrieved May 23, 2019.
Frequently Asked Questions
What is T1027.001 (Binary Padding)?
T1027.001 is a MITRE ATT&CK technique named 'Binary Padding'. It belongs to the Stealth tactic(s). Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done without affecting the functionality or behavior of a binary, but can increase the...
How can T1027.001 be detected?
Detection of T1027.001 (Binary Padding) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1027.001?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1027.001?
Known threat groups using T1027.001 include: Leviathan, APT29, Kimsuky, Moafee, Higaisa, Patchwork, BRONZE BUTLER, Akira.