Threat actors may create custom obfuscation(encryption, encoding, and hashing) mechanisms to thwart defenders.

Common types

• encryption
• obfuscation
• compression

Malware/Threat actors

Name	Type	Years	Source
TeamSpy	threat actor	2008-2013	theteamspystory_final_t2.pdf
Wild Neutron	threat actor	2013-2015	WildNeutron_Economic_espionage.pdf ICIT-Brief-Know-Your-Enemies-2.0.pdf
Lazarus Group	threat actor	2011-2014	Operation-Blockbuster-Report.pdf Operation-Blockbuster-RAT-and-Staging-Report.pdf Operation-Blockbuster-Loaders-Installers-and-Uninstallers-Report.pdf Operation-Blockbuster-Destructive-Malware-Report.pdf
Nettraveler	malware	2004-2013	kaspersky-the-net-traveler-part1-final.pdf
PlugX	malware	2014	GlobalThreatIntelReport.pdf plugx-goes-to-the-registry-and-india.pdf ASERT%20Threat%20Intelligence%20Brief%202015-05%20PlugX%20Threat%20Activity%20in%20Myanmar.pdf P2P_PlugX_Analysis.pdf

Preventions

<Mitigation techniques>

Detections

During the encryption handshake in protocols like TLS, SSL, and SSH look for encryption suites and ciphers that are new to the environment.

Toolkit

<Toolkit instructions, if applicable>

Similar techniques

• Anonymous services
• Public services
• Encryption
• Encoding
• Custom protocol
• Compression

References

• Github - CyberMonitor/APT_CyberCriminal_Campagin_Collections