Asymmetric Cryptography

Information

• Name: Asymmetric Cryptography

• ID: T1573.002

• Tactics:

• Technique:

Introduction

Asymmetric Cryptography [T1573.002] is a sub-technique within the MITRE ATT&CK framework, classified under the Encrypted Channel (T1573) technique. This technique involves adversaries leveraging asymmetric cryptographic algorithms—such as RSA—to encrypt command and control (C2) communications, exfiltrate data securely, or obfuscate malicious payloads. Asymmetric cryptography uses a pair of keys, one public and one private, to encrypt and decrypt information, making it difficult for defenders to intercept or analyze malicious traffic and activity.

Deep Dive Into Technique

Asymmetric cryptography leverages mathematical algorithms that utilize public-private key pairs. Unlike symmetric cryptography, asymmetric cryptography relies on two separate keys:

• Public Key: Widely distributed and used for encryption.

• Private Key: Kept secret by the attacker and used for decryption.

Adversaries commonly utilize asymmetric cryptography in the following ways:

• Secure C2 Communication: Attackers encrypt commands and responses between compromised hosts and C2 servers, effectively hiding malicious traffic from network security monitoring tools.

• Data Exfiltration: Attackers encrypt sensitive data before exfiltration, making it challenging for defenders to identify the nature of the stolen information.

• Payload Obfuscation: Malware payloads may be encrypted using asymmetric cryptography to evade detection by antivirus and endpoint detection and response (EDR) solutions.

Technical execution methods include:

• Embedding public keys directly in malware payloads or configuration files.

• Generating key pairs dynamically at runtime to avoid static detection.

• Utilizing standard cryptographic libraries (e.g., OpenSSL) or custom implementations to perform encryption and decryption operations.

• Leveraging legitimate asymmetric cryptographic services or APIs provided by cloud platforms or third-party providers.

Real-world procedures include attackers embedding public keys into malware payloads, encrypting sensitive data before exfiltration, and using asymmetric cryptography to authenticate compromised systems to attacker-controlled infrastructure securely.

When this Technique is Usually Used

Attackers typically employ asymmetric cryptography across various stages of the attack lifecycle, including:

• Command and Control (C2) Stage: Encrypting commands and responses to evade detection and network monitoring.

• Data Exfiltration Stage: Encrypting stolen data to obscure content and evade Data Loss Prevention (DLP) solutions.

• Persistence and Evasion: Encrypting malware payloads or configuration data to evade antivirus signatures and endpoint detection tools.

• Credential Harvesting and Secure Communication: Securing attacker-controlled infrastructure and communications to prevent defender interception.

Common attack scenarios include:

• Advanced Persistent Threat (APT) groups using encrypted channels to maintain long-term stealthy communication.

• Ransomware operators encrypting sensitive data before exfiltration to pressure victims into paying ransom.

• Cyber espionage campaigns encrypting sensitive intellectual property or government data prior to exfiltration.

How this Technique is Usually Detected

Detection of asymmetric cryptography usage by adversaries can be challenging due to encryption's inherent stealth. Effective detection methods and tools include:

• Network Traffic Analysis:

  • Monitor network traffic for unusual encrypted connections or traffic patterns indicative of asymmetric encryption usage.

  • Analyze SSL/TLS handshake metadata for anomalous certificates or unusual key exchanges.

• Endpoint Detection and Response (EDR):

  • Monitor processes that load cryptographic libraries (e.g., OpenSSL) or APIs unexpectedly.

  • Detect suspicious file creation or modification activities associated with cryptographic key generation or storage.

• Behavioral Analysis and Threat Hunting:

  • Identify anomalous key-generation events or cryptographic operations within logs.

  • Detect unusual patterns of encrypted data being transmitted to external IP addresses or domains.

Specific Indicators of Compromise (IoCs) include:

• Presence of public keys in malware binaries or configuration files.

• Unusual cryptographic API calls or library usage (e.g., unexpected use of RSA or ECC algorithms).

• Encrypted files or data blobs stored temporarily on compromised systems before exfiltration.

• Anomalous traffic to known attacker-controlled infrastructure using asymmetric encryption.

Why it is Important to Detect This Technique

Detecting asymmetric cryptography use by adversaries is critical due to its potential impacts on organizations, including:

• Evasion of Security Controls: Encryption makes it significantly harder for traditional network security tools to inspect and analyze malicious traffic.

• Data Loss and Intellectual Property Theft: Encrypted exfiltration reduces visibility into the nature of stolen data, complicating incident response and remediation efforts.

• Extended Dwell Time: Encrypted communication channels allow attackers to maintain persistent, stealthy access to compromised environments, increasing potential damage.

• Regulatory and Compliance Risks: Failure to detect encrypted data exfiltration may lead to compliance violations, fines, and reputational damage.

Early detection is essential to:

• Minimize dwell time and reduce attacker footholds within networks.

• Prevent significant data breaches and intellectual property theft.

• Enable proactive incident response and remediation efforts to limit damage and disruption.

Examples

Real-world examples of asymmetric cryptography usage by adversaries include:

• APT29 (Cozy Bear):

  • Utilized encrypted C2 communications leveraging asymmetric cryptography in malware such as HAMMERTOSS to evade detection and analysis.

  • Embedded public RSA keys in malware payloads to encrypt sensitive data before exfiltration.

• DarkSide Ransomware Group:

  • Employed RSA-2048 asymmetric encryption to encrypt victim data before exfiltration, ensuring stolen data remained inaccessible to defenders.

  • Used encrypted channels to securely communicate with victim organizations during ransom negotiations.

• TrickBot Malware:

  • Leveraged RSA asymmetric encryption to secure communication channels between infected endpoints and attacker-controlled servers.

  • Embedded public keys in malware modules to encrypt sensitive data prior to exfiltration, complicating detection and attribution efforts.

• SUNBURST (SolarWinds Compromise):

  • Attackers leveraged asymmetric cryptography to secure communications between compromised SolarWinds Orion software and attacker-controlled infrastructure, making detection and analysis challenging.

  • Embedded RSA keys within malware components to authenticate compromised systems securely and evade detection by security solutions.