Description
Adversaries may embed payloads within other files to conceal malicious content from defenses. Otherwise seemingly benign files (such as scripts and executables) may be abused to carry and obfuscate malicious payloads and content. In some cases, embedded payloads may also enable adversaries to Subvert Trust Controls by not impacting execution controls such as digital signatures and notarization tickets.(Citation: Sentinel Labs)
Adversaries may embed payloads in various file formats to hide payloads.(Citation: Microsoft Learn) This is similar to Steganography, though does not involve weaving malicious content into specific bytes and patterns related to legitimate digital media formats.(Citation: GitHub PSImage)
For example, adversaries have been observed embedding payloads within or as an overlay of an otherwise benign binary.(Citation: Securelist Dtrack2) Adversaries have also been observed nesting payloads (such as executables and run-only scripts) inside a file of the same format.(Citation: SentinelLabs reversing run-only applescripts 2021)
Embedded content may also be used as Process Injection payloads used to infect benign system processes.(Citation: Trend Micro) These embedded then injected payloads may be used as part of the modules of malware designed to provide specific features such as encrypting C2 communications in support of an orchestrator module. For example, an embedded module may be injected into default browsers, allowing adversaries to then communicate via the network.(Citation: Malware Analysis Report ComRAT)
Platforms
Mitigations (2)
Antivirus/AntimalwareM1049
Anti-virus can be used to automatically detect and quarantine suspicious files.
Behavior Prevention on EndpointM1040
On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent execution of potentially obfuscated scripts.(Citation: win10_asr)
Threat Groups (3)
| ID | Group | Context |
|---|---|---|
| G0032 | Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) has distributed malicious payloads embedded in PNG files.(Citation: Microsoft DiamondSleet 2023... |
| G1037 | TA577 | [TA577](https://attack.mitre.org/groups/G1037) has used LNK files to execute embedded DLLs.(Citation: Latrodectus APR 2024) |
| G1036 | Moonstone Sleet | [Moonstone Sleet](https://attack.mitre.org/groups/G1036) embedded payloads in trojanized software for follow-on execution.(Citation: Microsoft Moonsto... |
Associated Software (18)
| ID | Name | Type | Context |
|---|---|---|---|
| S1137 | Moneybird | Malware | [Moneybird](https://attack.mitre.org/software/S1137) contains a configuration blob embedded in the malware itself.(Citation: CheckPoint Agrius 2023) |
| S1052 | DEADEYE | Malware | The DEADEYE.EMBED variant of [DEADEYE](https://attack.mitre.org/software/S1052) has the ability to embed payloads inside of a compiled binary.(Citati... |
| S1081 | BADHATCH | Malware | [BADHATCH](https://attack.mitre.org/software/S1081) has an embedded second stage DLL payload within the first stage of the malware.(Citation: Gigamon ... |
| S1149 | CHIMNEYSWEEP | Malware | [CHIMNEYSWEEP](https://attack.mitre.org/software/S1149) can extract RC4 encrypted embedded payloads for privilege escalation.(Citation: Mandiant ROADS... |
| S1134 | DEADWOOD | Malware | [DEADWOOD](https://attack.mitre.org/software/S1134) contains an embedded, AES-encrypted payload labeled <code>METADATA</code> that provides configurat... |
| S0367 | Emotet | Malware | [Emotet](https://attack.mitre.org/software/S0367) has dropped an embedded executable at `%Temp%\setup.exe`.(Citation: Binary Defense Emotes Wi-Fi Spre... |
| S1048 | macOS.OSAMiner | Malware | [macOS.OSAMiner](https://attack.mitre.org/software/S1048) has embedded [Stripped Payloads](https://attack.mitre.org/techniques/T1027/008) within anoth... |
| S0567 | Dtrack | Malware | [Dtrack](https://attack.mitre.org/software/S0567) has used a dropper that embeds an encrypted payload as extra data.(Citation: Securelist Dtrack) |
| S0483 | IcedID | Malware | [IcedID](https://attack.mitre.org/software/S0483) has embedded malicious functionality in a legitimate DLL file.(Citation: Trendmicro_IcedID) |
| S0457 | Netwalker | Malware | [Netwalker](https://attack.mitre.org/software/S0457)'s DLL has been embedded within the PowerShell script in hex format.(Citation: TrendMicro Netwalke... |
| S1135 | MultiLayer Wiper | Malware | [MultiLayer Wiper](https://attack.mitre.org/software/S1135) contains two binaries in its resources section, MultiList and MultiWip. [MultiLayer Wiper]... |
| S0649 | SMOKEDHAM | Malware | The [SMOKEDHAM](https://attack.mitre.org/software/S0649) source code is embedded in the dropper as an encrypted string.(Citation: FireEye SMOKEDHAM Ju... |
| S1145 | Pikabot | Malware | [Pikabot](https://attack.mitre.org/software/S1145) further decrypts information embedded via steganography using AES-CBC with the same 32 bit key as i... |
| S0126 | ComRAT | Malware | [ComRAT](https://attack.mitre.org/software/S0126) has embedded a XOR encrypted communications module inside the orchestrator module.(Citation: ESET Co... |
| S1158 | DUSTPAN | Malware | [DUSTPAN](https://attack.mitre.org/software/S1158) decrypts and executes an embedded payload.(Citation: Google Cloud APT41 2024)(Citation: Google Clou... |
| S1159 | DUSTTRAP | Malware | [DUSTTRAP](https://attack.mitre.org/software/S1159) contains additional embedded DLLs and configuration files that are loaded into memory during execu... |
| S0231 | Invoke-PSImage | Tool | [Invoke-PSImage](https://attack.mitre.org/software/S0231) can be used to embed payload data within a new image file.(Citation: GitHub PSImage) |
| S0022 | Uroburos | Malware | The [Uroburos](https://attack.mitre.org/software/S0022) Queue file contains embedded executable files along with key material, communication channels,... |
References
- Barrett Adams . (n.d.). Invoke-PSImage . Retrieved September 30, 2022.
- CISA. (2020, October 29). Malware Analysis Report (AR20-303A) MAR-10310246-2.v1 – PowerShell Script: ComRAT. Retrieved September 30, 2022.
- Karen Victor. (2020, May 18). Reflective Loading Runs Netwalker Fileless Ransomware. Retrieved September 30, 2022.
- KONSTANTIN ZYKOV. (2019, September 23). Hello! My name is Dtrack. Retrieved September 30, 2022.
- Microsoft. (2021, April 6). 2.5 ExtraData. Retrieved September 30, 2022.
- Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts. Retrieved September 29, 2022.
- Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts. Retrieved September 30, 2022.
Frequently Asked Questions
What is T1027.009 (Embedded Payloads)?
T1027.009 is a MITRE ATT&CK technique named 'Embedded Payloads'. It belongs to the Stealth tactic(s). Adversaries may embed payloads within other files to conceal malicious content from defenses. Otherwise seemingly benign files (such as scripts and executables) may be abused to carry and obfuscate ma...
How can T1027.009 be detected?
Detection of T1027.009 (Embedded Payloads) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1027.009?
There are 2 documented mitigations for T1027.009. Key mitigations include: Antivirus/Antimalware, Behavior Prevention on Endpoint.
Which threat groups use T1027.009?
Known threat groups using T1027.009 include: Lazarus Group, TA577, Moonstone Sleet.