Archive via Library

Information

• Name: Archive via Library

• ID: T1560.002

• Tactics: TA0009

• Technique: T1560

Introduction

Archive via Library (T1560.002) is a sub-technique under the MITRE ATT&CK framework technique T1560 (Archive Collected Data). It specifically refers to adversaries leveraging existing software libraries or built-in system utilities to compress and archive data before exfiltration. Attackers commonly use this method to minimize the size of data, simplify data transfer, and evade detection by blending into normal system behavior. Due to the prevalence and legitimacy of archive utilities, this technique can be challenging to detect and mitigate.

Deep Dive Into Technique

Adversaries employing Archive via Library techniques utilize standard compression libraries or tools available on the compromised system to create archives. These tools and libraries include:

• Compression Libraries:

  • zlib

  • gzip

  • bzip2

  • 7z

  • tar

• System Utilities:

  • zip

  • unzip

  • tar

  • gzip

  • rar

Attackers typically execute this technique through the following methods:

• Command-line Interaction: Attackers use command-line utilities to quickly archive sensitive information. Commands such as tar -czvf, zip -r, or 7z a are commonly employed.

• Scripting and Automation: Malicious scripts (bash, PowerShell, Python) automate the archiving process, enabling rapid data collection and compression before exfiltration.

• Library Integration in Malware: Malware may integrate compression libraries directly within their binaries or payloads, allowing attackers to compress data without relying on external utilities. This reduces the likelihood of detection by minimizing external dependencies or suspicious command-line execution.

• Use of Legitimate Utilities: Attackers frequently use legitimate archiving utilities pre-installed on operating systems, making their activities blend in with normal administrative tasks.

When this Technique is Usually Used

Attackers utilize Archive via Library at various stages of the cyber-attack lifecycle, notably:

• Collection Stage: After successfully identifying and collecting sensitive data, attackers compress files to streamline the exfiltration process.

• Exfiltration Preparation: Compressing data reduces file size, aiding in stealthy and efficient exfiltration, especially when bandwidth is limited or monitored.

• Data Theft Campaigns: Attackers targeting intellectual property, sensitive corporate data, or personally identifiable information (PII) commonly use this method to efficiently move large amounts of data.

• Ransomware Attacks: Ransomware operators may archive sensitive data before encryption, preparing it for exfiltration and extortion purposes.

• Espionage Operations: Advanced persistent threats (APTs) commonly archive data to efficiently exfiltrate sensitive information without raising suspicion.

How this Technique is Usually Detected

Detection of Archive via Library techniques involves monitoring system behavior, file system activities, and command execution patterns. Effective detection methods include:

• Monitoring Command-line Activity: Track and log execution of archive-related commands (zip, tar, gzip, 7z, rar) and review command-line parameters for suspicious patterns.

• Process and File Monitoring: Use endpoint detection and response (EDR) solutions to identify unusual processes accessing sensitive data and creating archive files, especially in unusual directories or at atypical times.

• Behavioral Analytics: Implement analytics to detect abnormal patterns, such as sudden spikes in archive file creation or compression activities involving sensitive files.

• File System Auditing: Monitor file system events for the creation of large archive files or archives containing sensitive data types (documents, databases, email archives).

• Network Monitoring: Detect unusual outbound network traffic patterns indicative of data exfiltration, often following archive creation.

Specific Indicators of Compromise (IoCs):

• Presence of unexpected or unexplained archive files (.zip, .7z, .tar.gz, .rar) in unusual locations.

• Execution of archiving utilities by unauthorized or unusual user accounts.

• Archive creation processes running at atypical times (outside business hours).

• Large archives being created or modified shortly before suspicious network activity.

Why it is Important to Detect This Technique

Early detection of Archive via Library is crucial due to its potential impacts on organizations, including:

• Data Exfiltration: Successful use of this technique can result in unauthorized transfer of sensitive corporate or personal data, intellectual property theft, or loss of confidential information.

• Operational Disruption: Attackers compressing and exfiltrating data can lead to disruption of business operations, regulatory compliance issues, and reputational damage.

• Ransomware and Extortion: Attackers may archive and exfiltrate data to use as leverage in ransomware attacks, increasing the potential damage and financial losses to organizations.

• Advanced Persistent Threats (APT): Failure to detect archive activities can allow attackers prolonged access and ongoing data theft, significantly increasing the organization's risk exposure.

• Reduced Visibility: Because archiving utilities are legitimate tools, attackers leveraging this method may evade traditional signature-based detection, underscoring the importance of behavioral monitoring and anomaly detection.

Examples

Real-world examples illustrating Archive via Library include:

• APT29 (Cozy Bear):

  • Attack Scenario: Employed compression utilities (zip, tar) to archive sensitive data prior to exfiltration.

  • Tools Used: Standard Linux utilities like tar and gzip.

  • Impact: Exfiltration of sensitive governmental and private sector data, espionage activities.

• FIN7 Cybercrime Group:

  • Attack Scenario: Used PowerShell scripts to automate archiving of financial data before exfiltration.

  • Tools Used: PowerShell scripts combined with native Windows compression (zip) or third-party utilities (7z).

  • Impact: Theft of credit card data, financial records, resulting in significant financial losses and regulatory penalties.

• DarkSide Ransomware:

  • Attack Scenario: Archived sensitive corporate data using built-in utilities before encrypting files and demanding ransom.

  • Tools Used: Native Windows utilities (zip), third-party compression tools (7z).

  • Impact: Data theft, operational disruption, ransom demands, and reputational damage to victim organizations.

• Operation Cloud Hopper (APT10):

  • Attack Scenario: Used compression utilities to archive and exfiltrate intellectual property from technology and manufacturing companies.

  • Tools Used: Standard Linux utilities (tar, gzip).

  • Impact: Intellectual property theft, compromised competitive advantage, financial and reputational damage.

These examples highlight the practical application and significant risks associated with Archive via Library, underscoring the importance of robust detection and response capabilities.