Archive via Custom Method

Information

• Name: Archive via Custom Method

• ID: T1560.003

• Tactics: TA0009

• Technique: T1560

Introduction

Archive via Custom Method (T1560.003) is a sub-technique of the MITRE ATT&CK framework under the broader technique of Archive Collected Data (T1560). It describes adversaries' use of custom, non-standard archive techniques and tools to compress, encrypt, or otherwise package data before exfiltration. Unlike standard archiving utilities (e.g., ZIP, RAR), these custom methods may evade detection by security tools and analysts, as they deviate from known signatures and behaviors. Attackers leverage this sub-technique to facilitate data exfiltration, conceal stolen information, and reduce the chances of detection.

Deep Dive Into Technique

Attackers implementing the Archive via Custom Method sub-technique typically employ one or more of the following technical approaches:

• Custom Compression Algorithms:

  • Attackers may develop or modify compression algorithms to create archives that differ from standard formats (ZIP, RAR, TAR, etc.).

  • These custom archives may not be recognized by standard detection tools, allowing adversaries to bypass security measures.

• Encryption or Encoding:

  • Attackers frequently integrate encryption or encoding mechanisms into custom archives, making the content unreadable without the specific decryption keys or decoding methods.

  • Custom encryption methods may be designed specifically to evade common detection and analysis tools.

• Proprietary or Non-standard File Formats:

  • Attackers might create archives using proprietary file formats, which standard decompression tools cannot easily analyze.

  • Such custom formats require specialized reverse-engineering efforts to interpret and extract data.

• Obfuscation and Anti-analysis Techniques:

  • Archives may be intentionally obfuscated to evade analysis by automated tools or human analysts.

  • Techniques include embedding archives within other files, using unusual file headers, or employing anti-debugging measures.

• Automated Scripting and Tooling:

  • Attackers commonly automate the custom archiving process via scripts or custom-developed tools, allowing rapid and scalable data exfiltration.

  • Automation enables adversaries to quickly package and exfiltrate large volumes of data with minimal intervention.

When this Technique is Usually Used

Attackers typically utilize the Archive via Custom Method sub-technique during multiple stages and scenarios of cyber-attacks:

• Data Exfiltration Stage:

  • Primarily used to package sensitive or valuable data before exfiltration to external attacker-controlled infrastructure.

  • Enables attackers to compress and encrypt data quickly, reducing transmission size and avoiding detection.

• Persistence and Lateral Movement:

  • Sometimes used internally within compromised networks to discreetly transfer data between compromised hosts.

  • Custom archives may facilitate stealthy lateral movement, reducing detection likelihood.

• Advanced Persistent Threat (APT) Operations:

  • Commonly observed in sophisticated, targeted attacks by APT groups aiming to evade detection and maintain long-term access.

  • Attackers may repeatedly use custom archives during prolonged campaigns to consistently bypass detection mechanisms.

• Evasion of Security Controls:

  • Attackers deploy custom archiving methods specifically to avoid traditional security monitoring tools, endpoint detection and response (EDR) solutions, and network intrusion detection systems (IDS).

  • Custom methods are favored when standard archive formats have become detectable or blocked by security controls.

• Espionage and Intellectual Property Theft:

  • Frequently used in cyber espionage operations to securely exfiltrate sensitive government, defense, or corporate intellectual property.

  • Attackers rely on custom archives to ensure confidentiality and avoid attribution.

How this Technique is Usually Detected

Detecting Archive via Custom Method requires a combination of proactive monitoring, anomaly detection, and behavioral analysis methods:

• Behavioral Analysis and Anomaly Detection:

  • Monitor for unusual file extensions, file headers, or unexpected archive formats.

  • Detect anomalies in file compression ratios, file sizes, and unusual file creation or modification activities.

• Endpoint Detection and Response (EDR) Tools:

  • Leverage EDR solutions to detect suspicious processes creating unusual archives or performing non-standard compression activities.

  • Analyze file system activities and process behaviors indicative of custom archive creation.

• Network Traffic Analysis:

  • Identify unusual outbound network traffic patterns, especially large transfers or encrypted data streams.

  • Detect irregular data transfer protocols, non-standard port usage, or suspicious destinations.

• Log and Audit Analysis:

  • Regularly analyze operating system logs, application logs, and file system audit logs for indicators of custom archive creation.

  • Look for command-line invocations, scripting activity, or unusual file manipulations.

• Threat Hunting and Intelligence:

  • Conduct proactive threat hunting based on known attacker techniques and procedures.

  • Utilize threat intelligence feeds to identify new custom archive methods, tools, or indicators of compromise (IoCs).

Specific IoCs that may indicate Archive via Custom Method include:

• Unrecognized or uncommon file extensions (e.g., ".xyz," ".dat," ".bin").

• Files containing unknown or unusual file headers or magic bytes.

• Processes executing unknown or suspicious custom archiving binaries or scripts.

• Encrypted or encoded data streams with no recognizable standard archive signatures.

• Unusual scripting or command-line activity indicative of custom compression or encryption.

Why it is Important to Detect This Technique

Early detection of Archive via Custom Method is crucial due to the significant potential impacts and risks posed by this sub-technique:

• Data Exfiltration Prevention:

  • Timely detection helps prevent successful data exfiltration, protecting sensitive intellectual property, confidential information, and proprietary data.

• Reducing Dwell Time:

  • Early detection shortens the attackers' dwell time within compromised networks, reducing potential damage and mitigating long-term persistence.

• Minimizing Damage and Loss:

  • Identifying and interrupting custom archiving activities limits the scope of data theft, financial loss, reputational damage, and regulatory consequences.

• Improving Incident Response:

  • Detecting this sub-technique early enhances incident response capabilities, enabling rapid containment and remediation of security incidents.

• Attribution and Threat Intelligence:

  • Detection provides crucial forensic evidence and indicators of compromise, aiding attribution efforts and enhancing organizational threat intelligence.

• Preventing Future Attacks:

  • Understanding attacker methods and custom archive techniques allows organizations to proactively strengthen defenses and prevent future exploitation.

Examples

Real-world examples demonstrating Archive via Custom Method techniques include:

• APT29 (Cozy Bear):

  • Known to utilize custom encryption and compression methods during espionage campaigns targeting government and private-sector victims.

  • Attackers employed custom archiving tools to compress and encrypt stolen data before exfiltration, evading detection by standard security solutions.

• FIN7 Criminal Group:

  • Observed using custom scripts and binaries to package and encrypt payment card data and personally identifiable information (PII) during financial cybercrime operations.

  • Custom archives facilitated stealthy exfiltration of sensitive financial data from victim organizations.

• Operation Aurora (APT Campaign):

  • Attackers used custom-developed tools to archive and encrypt intellectual property data from targeted technology companies.

  • Custom archives enabled attackers to evade detection and successfully exfiltrate large volumes of sensitive data.

• DarkHotel APT:

  • Utilized custom archive and encryption methods to securely package and exfiltrate sensitive corporate and governmental data from compromised hotel Wi-Fi networks.

  • Custom formats allowed attackers to avoid detection by standard network monitoring and endpoint security tools.

• RedLeaves Malware (Used by APT10):

  • Implemented custom data packaging and encryption methods within malware payloads to compress and securely transmit stolen data to attacker-controlled infrastructure.

  • Custom archives helped APT10 evade detection during espionage operations targeting global enterprises.

In these examples, attackers consistently leveraged custom archiving methods to evade standard detection mechanisms, successfully exfiltrate sensitive data, and maintain operational security during sophisticated cyber-attacks.