Description
An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party libraries. Many libraries exist that can archive data, including Python rarfile (Citation: PyPI RAR), libzip (Citation: libzip), and zlib (Citation: Zlib Github). Most libraries include functionality to encrypt and/or compress data.
Some archival libraries are preinstalled on systems, such as bzip2 on macOS and Linux, and zip on Windows. Note that the libraries are different from the utilities. The libraries can be linked against when compiling, while the utilities require spawning a subshell, or a similar execution mechanism.
Platforms
Threat Groups (2)
| ID | Group | Context |
|---|---|---|
| G0032 | Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) malware IndiaIndia saves information gathered about the victim to a file that is compressed wit... |
| G0027 | Threat Group-3390 | [Threat Group-3390](https://attack.mitre.org/groups/G0027) has used RAR to compress, encrypt, and password-protect files prior to exfiltration.(Citati... |
Associated Software (13)
| ID | Name | Type | Context |
|---|---|---|---|
| S0467 | TajMahal | Malware | [TajMahal](https://attack.mitre.org/software/S0467) has the ability to use the open source libraries XZip/Xunzip and zlib to compress files.(Citation:... |
| S1141 | LunarWeb | Malware | [LunarWeb](https://attack.mitre.org/software/S1141) can zlib-compress data prior to exfiltration.(Citation: ESET Turla Lunar toolset May 2024) |
| S0086 | ZLib | Malware | The [ZLib](https://attack.mitre.org/software/S0086) backdoor compresses communications using the standard Zlib compression library.(Citation: Cylance ... |
| S0127 | BBSRAT | Malware | [BBSRAT](https://attack.mitre.org/software/S0127) can compress data with ZLIB prior to sending it back to the C2 server.(Citation: Palo Alto Networks ... |
| S0260 | InvisiMole | Malware | [InvisiMole](https://attack.mitre.org/software/S0260) can use zlib to compress and decompress data.(Citation: ESET InvisiMole June 2018)(Citation: ESE... |
| S0053 | SeaDuke | Malware | [SeaDuke](https://attack.mitre.org/software/S0053) compressed data with zlib prior to sending it over C2.(Citation: Mandiant No Easy Breach) |
| S0354 | Denis | Malware | [Denis](https://attack.mitre.org/software/S0354) compressed collected data using zlib.(Citation: Securelist Denis April 2017) |
| S0091 | Epic | Malware | [Epic](https://attack.mitre.org/software/S0091) compresses the collected data with bzip2 before sending it to the C2 server.(Citation: Kaspersky Turla... |
| S0642 | BADFLICK | Malware | [BADFLICK](https://attack.mitre.org/software/S0642) has compressed data using the aPLib compression library.(Citation: Accenture MUDCARP March 2019) |
| S0348 | Cardinal RAT | Malware | [Cardinal RAT](https://attack.mitre.org/software/S0348) applies compression to C2 traffic using the ZLIB library.(Citation: PaloAlto CardinalRat Apr 2... |
| S0352 | OSX_OCEANLOTUS.D | Malware | [OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) scrambles and encrypts data using AES256 before sending it to the C2 server.(Citation: Tre... |
| S0661 | FoggyWeb | Malware | [FoggyWeb](https://attack.mitre.org/software/S0661) can invoke the `Common.Compress` method to compress data with the C# GZipStream compression class.... |
| S1044 | FunnyDream | Malware | [FunnyDream](https://attack.mitre.org/software/S1044) has compressed collected files with zLib.(Citation: Bitdefender FunnyDream Campaign November 202... |
References
- D. Baron, T. Klausner. (2020). libzip. Retrieved February 20, 2020.
- madler. (2017). zlib. Retrieved February 20, 2020.
- mkz. (2020). rarfile 3.1. Retrieved February 20, 2020.
- Wikipedia. (2016, March 31). List of file signatures. Retrieved April 22, 2016.
Frequently Asked Questions
What is T1560.002 (Archive via Library)?
T1560.002 is a MITRE ATT&CK technique named 'Archive via Library'. It belongs to the Collection tactic(s). An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party libraries. Many libraries exist that can archive data, including [Python](https://attack.mitre.org/tec...
How can T1560.002 be detected?
Detection of T1560.002 (Archive via Library) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1560.002?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1560.002?
Known threat groups using T1560.002 include: Lazarus Group, Threat Group-3390.