Description
An adversary may compress or encrypt data that is collected prior to exfiltration using a custom method. Adversaries may choose to use custom archival methods, such as encryption with XOR or stream ciphers implemented with no external library or utility references. Custom implementations of well-known compression algorithms have also been used.(Citation: ESET Sednit Part 2)
Platforms
Threat Groups (7)
| ID | Group | Context |
|---|---|---|
| G0037 | FIN6 | [FIN6](https://attack.mitre.org/groups/G0037) has encoded data gathered from the victim with a simple substitution cipher and single-byte XOR using th... |
| G0052 | CopyKittens | [CopyKittens](https://attack.mitre.org/groups/G0052) encrypts data with a substitute cipher prior to exfiltration.(Citation: CopyKittens Nov 2015) |
| G0129 | Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has encrypted documents with RC4 prior to exfiltration.(Citation: Avira Mustang Panda January 2... |
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has used RC4 encryption before exfil.(Citation: Securelist Kimsuky Sept 2013) |
| G1048 | UNC3886 | [UNC3886](https://attack.mitre.org/groups/G1048) has XOR encrypted and Gzip compressed captured credentials.(Citation: Google Cloud Mandiant UNC3886 2... |
| G0030 | Lotus Blossom | [Lotus Blossom](https://attack.mitre.org/groups/G0030) has used custom tools to compress and archive data on victim systems.(Citation: Cisco LotusBlos... |
| G0032 | Lazarus Group | A [Lazarus Group](https://attack.mitre.org/groups/G0032) malware sample encrypts data using a simple byte based XOR operation prior to exfiltration.(C... |
Associated Software (31)
| ID | Name | Type | Context |
|---|---|---|---|
| S0438 | Attor | Malware | [Attor](https://attack.mitre.org/software/S0438) encrypts collected data with a custom implementation of Blowfish and RSA ciphers.(Citation: ESET Atto... |
| S0657 | BLUELIGHT | Malware | [BLUELIGHT](https://attack.mitre.org/software/S0657) has encoded data into a binary blob using XOR.(Citation: Volexity InkySquid BLUELIGHT August 2021... |
| S0038 | Duqu | Malware | Modules can be pushed to and executed by [Duqu](https://attack.mitre.org/software/S0038) that copy data to a staging area, compress it, and XOR encryp... |
| S0603 | Stuxnet | Malware | [Stuxnet](https://attack.mitre.org/software/S0603) encrypts exfiltrated data via C2 with static 31-byte long XOR keys.(Citation: Nicolas Falliere, Lia... |
| S0035 | SPACESHIP | Malware | Data [SPACESHIP](https://attack.mitre.org/software/S0035) copies to the staging area is compressed with zlib. Bytes are rotated by four positions and ... |
| S0661 | FoggyWeb | Malware | [FoggyWeb](https://attack.mitre.org/software/S0661) can use a dynamic XOR key and a custom XOR methodology to encode data before exfiltration. Also, [... |
| S0198 | NETWIRE | Malware | [NETWIRE](https://attack.mitre.org/software/S0198) has used a custom encryption algorithm to encrypt collected data.(Citation: FireEye NETWIRE March 2... |
| S0448 | Rising Sun | Malware | [Rising Sun](https://attack.mitre.org/software/S0448) can archive data using RC4 encryption and Base64 encoding prior to exfiltration.(Citation: McAfe... |
| S0491 | StrongPity | Malware | [StrongPity](https://attack.mitre.org/software/S0491) can compress and encrypt archived files into multiple .sft files with a repeated xor encryption ... |
| S0258 | RGDoor | Malware | [RGDoor](https://attack.mitre.org/software/S0258) encrypts files with XOR before sending them back to the C2 server.(Citation: Unit 42 RGDoor Jan 2018... |
| S0169 | RawPOS | Malware | [RawPOS](https://attack.mitre.org/software/S0169) encodes credit card data it collected from the victim with XOR.(Citation: TrendMicro RawPOS April 20... |
| S1059 | metaMain | Malware | [metaMain](https://attack.mitre.org/software/S1059) has used XOR-based encryption for collected files before exfiltration.(Citation: SentinelLabs Meta... |
| S0458 | Ramsay | Malware | [Ramsay](https://attack.mitre.org/software/S0458) can store collected documents in a custom container after encrypting and compressing them using RC4 ... |
| S0264 | OopsIE | Malware | [OopsIE](https://attack.mitre.org/software/S0264) compresses collected files with a simple character replacement scheme before sending them to its C2 ... |
| S0615 | SombRAT | Malware | [SombRAT](https://attack.mitre.org/software/S0615) has encrypted collected data with AES-256 using a hardcoded key.(Citation: BlackBerry CostaRicto No... |
| S0409 | Machete | Malware | [Machete](https://attack.mitre.org/software/S0409)'s collected data is encrypted with AES before exfiltration.(Citation: ESET Machete July 2019) |
| S0172 | Reaver | Malware | [Reaver](https://attack.mitre.org/software/S0172) encrypts collected data with an incremental XOR key prior to exfiltration.(Citation: Palo Alto Reave... |
| S0391 | HAWKBALL | Malware | [HAWKBALL](https://attack.mitre.org/software/S0391) has encrypted data with XOR before sending it over the C2 channel.(Citation: FireEye HAWKBALL Jun ... |
| S0072 | OwaAuth | Malware | [OwaAuth](https://attack.mitre.org/software/S0072) DES-encrypts captured credentials using the key 12345678 before writing the credentials to a log fi... |
| S0260 | InvisiMole | Malware | [InvisiMole](https://attack.mitre.org/software/S0260) uses a variation of the XOR cipher to encrypt files before exfiltration.(Citation: ESET InvisiMo... |
References
Frequently Asked Questions
What is T1560.003 (Archive via Custom Method)?
T1560.003 is a MITRE ATT&CK technique named 'Archive via Custom Method'. It belongs to the Collection tactic(s). An adversary may compress or encrypt data that is collected prior to exfiltration using a custom method. Adversaries may choose to use custom archival methods, such as encryption with XOR or stream ci...
How can T1560.003 be detected?
Detection of T1560.003 (Archive via Custom Method) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1560.003?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1560.003?
Known threat groups using T1560.003 include: FIN6, CopyKittens, Mustang Panda, Kimsuky, UNC3886, Lotus Blossom, Lazarus Group.