deobfuscate: Encryption, Encoding, & Obfuscation
An Analysis of Threat Actor Tactics and Techniques
During my master’s program, I wrote a 20-ish page research paper on Encryption, Encoding, and Obfuscation. The goal was to analyze, compare, and contrast these methods to understand their usage in malware execution. I decided to share my research here in hopes of aiding in understanding the capabilities that threat actors use. I’ve tailored the article so that it is not a direct 1:1 of my research paper to improve it and change some of the language and formatting. Enjoy!
Introduction
"The enemy knows the system." – Claude Shannon, summarizing “Kerckhoffs’ Principle”
In this article, we will cover topics surrounding the usage of encryption capabilities and, in parallel, review encoding and obfuscation when applied to malware and reverse engineering. The objective is to provide a more thorough understanding of these tactics, techniques, and procedures (TTPs) that threat actors leverage to target and successfully exploit our environments. By enabling cybersecurity practitioners with this knowledge, we can engage in effective practices toward securing our enterprises.
Definitions and Concepts
"To know your enemy, you must become your enemy." – Sun Tzu, The Art of War
To begin with, we must understand the fundamental applications of encryption, encoding, and obfuscation practices.
Encryption
"Those who can imagine anything, can create the impossible." – Alan Turing
Encrypting and decrypting is the practice of hiding messages in plain sight by transforming data from a plain, readable text format (plain text) to an indecipherable format (ciphertext) that is done via the use of a secure mathematical algorithm with the use of keys. In doing so, anyone without a key is unable to access the data it contains, thus, ‘hiding’ the data in plain sight. There are two primary forms of encryption:
Symmetric—This form utilizes a single key to encrypt and decrypt a message. To remain effective, both parties must know the key and share it securely. Exposure to the key compromises all data.
Asymmetric—This form utilizes two keys, a public key and a private key. The public key is shared with anyone wanting to send a secure message to the owner of the key, who also possesses the private key. Exposure of the public keys has no impact on data security. Compromising the data would require exposing the private key.
The symmetric technique has existed since the Roman Empire, with Julius Caesar creating the method to encrypt military messages in roughly 50-60 BCE (Kumar, 2024). This capability simply provided a ‘shift’ (which would be the symmetric key) to the use of the alphabet, which would exchange alphanumeric characters with ones shifted forward an n amount of places, with progressing past ‘z’, ‘9’, or ‘0’ restarting at ‘a’, depending on the characters involved in the formatting (e.g., using hexadecimal). For example:
Plaintext: Hello World \\Caesar Cipher where n=13 (commonly referred to as ROT13 today)\\ Cipher Text: Uryyb jbeyq
Decoding it would just involve reversing the cipher by going backwards in the alphabet thirteen times. As you can see, in today’s era, the Caesar Cipher would no longer be applicable, as it is now ‘crackable’ with modern technology (or time and a lot of paper). These encryption mechanisms are thus considered insecure and shouldn’t be used for any actual privacy or confidentiality applications.
As you can infer from this, encryption has had to evolve with the times due to technological advancements. Today’s capabilities leverage vastly more advanced encryption techniques and algorithms. Cryptography, the overarching study of cryptosystems, including encryption and decryption, has evolved from the Vigenère Cipher in 1553 to the Jefferson Disk in the 1790s.
While not considered ‘modern’ by today’s standards, Modern encryption capabilities date roughly around the start of World War I and II, with the development of the German Enigma Machine. It is here where we began to ‘automate’ cryptographic computation. The machine relied on rotors to create highly complex substitution ciphers, which were rotated daily. It was ultimately defeated in 1941 by the father of computer science, Alan Turing, and his team at Bletchley Park, though years of work and compounded cryptanalysis, starting with the Polish Cipher Bureau in 1932, then later the French up until their surrender in 1940 (History of the Enigma, n.d.).
Later capabilities in encryption were the Data Encryption Standard, abbreviated as DES, in 1977, which marked the beginning of purely digital encryption standards. It was created by IBM and later adopted by the U.S. government. Its vulnerability came just as the progress of technology, where computational power eventually led to its replacement by the Advanced Encryption Standard (AES) in 2001.
Another capability of encryption came with the development of the Rivest–Shamir–Adleman (RSA) asymmetric cryptosystem in 1977 (Rivest, Shamir, & Adleman, 1977). This unique approach utilized a private-public key system rather than the single key used in the other methods. The methodology of this approach was to leverage a key pairing, one public knowledge and the other private or secret, which was created by leveraging two large prime numbers in the process of generating a key. This allows a key pairing to function where a public key is shared with the world, and anyone wanting to send a message to you can use that public key to encrypt the message; however, it is a one-way encryption from the perspective of the public key. To decrypt the message, you must leverage the private key that only the person receiving the message should have.
The RSA system relies on a mathematical concept called the Factoring Problem, which assumes the practical difficulty of factoring the product of two large prime numbers (Weisstein, 2005). Likewise, the process of leveraging RSA encryption and decryption can be computationally difficult in itself. Thus, in modern times, RSA encryption is commonly only leveraged to establish a secure connection between two systems, and then a symmetric-key method is utilized to encrypt future communications further, knowing that the key shared was not compromised.
While encryption has many uses, it faces constant threats of being compromised at any moment. For example, quantum computing has the potential to break current encryption standards, like Elliptic Curve Cryptography (ECC) and RSA, via Shor’s Algorithm. This has led to the development of new techniques, such as Lattice-Based Cryptography (Bernstein, 2009).
In summary, as was the Cold War, so is the encryption arms race in modern times, constantly vying to create and break.
Encoding
"The limits of my language mean the limits of my world." – Ludwig Wittgenstein
While encryption aims to secure data, encoding focuses on transforming data into something that conforms to some utility effort. This effort can take the form of usability, transmission, or storage.
The simplest form of encoding is in our everyday lives. Signs communicate messages, even intricate ones, through symbolism and imagery. This form dates back to the use of 18th-century maritime Signal Flags and even earlier use cases such as Roman Numerals. The outcome of this can often surpass language barriers. We can even look to the creation of ‘hostile architecture,’ a design philosophy proposed and used to store long-term nuclear waste that decays over centuries, to ensure that even as language evolves, the message is clear that there is danger near the waste.
Digital encoding began in early computing as early as 1837, with the invention of Morse Code (Henderson, 2014). This was used to communicate reliably over telegraph lines, which at the time was revolutionary. Later methods include ASCII, which was developed in 1963. The American Standard Code for Information Interchange, or ASCII, was a method that converted binary integers into letters, numbers, symbols, and control codes via a 7-bit value. To this day, ASCII is used in computing systems, though is mostly phased out by later iterations of a similar encoding capability known as Unicode, developed in 1991 to expand the usage for further characters beyond the English language, a limitation imposed by ASCII.
Today, standards like Base64 encoding provide a means to convert binary data into 64 printable characters. This is commonly used for email and for obfuscating data in web traffic, like URLs. An example of Base64 encoding:
Plaintext: Hello World \\Base64 Encoding\\ Encoded Text: SGVsbG8gV29ybGQ=The encoded text can easily be decoded again to reveal ‘Hello World’ once more.
Encoding isn’t just for text and visual information, however. It also takes place when we use formats like MP3 and MP4. These methods transform media into data that is both size-efficient (using lossy methods of compression) and easy to decode into a stream that is visible or audible for humans once it is ‘reassembled.’
Obfuscation
"What you see depends not only on what you look at, but also on where you look from." – James Deacon
Obfuscation is an interesting intersection of encryption and encoding, where the intent is to hide or deceive, but it isn’t necessarily secure when placed under any analytical pressure. Those familiar with Dungeons and Dragons might be keen to know what Thieves’ Cant is and understand that obfuscation is a powerful tool that can hide data in plain sight, but not allow it to be gibberish, such that it doesn’t raise suspicion.
Code words or phrases are often an early example of this technique, where renaming something for something else would create a cipher of substitution (Sirohi, 2015). However, this isn’t foolproof and shouldn’t be confused with holistic approaches to proven encryption methodologies. That isn’t to say that obfuscation isn’t part of cryptography. Instead, obfuscation used in cryptography is done by applying null or irrelevant characters to disrupt frequency analysis.
When crossing paths with encoding, secret or illegible symbols and iconography can be used to circumvent censorship or convey more specific meanings. This was done as early as the Renaissance, when artists hid messages within paintings using a technique called steganography. In the modern era, this is still being done by implementing the practice of flipping bits of image files in certain ways such that the small or minuscule changes of color or texture do not give way to the presence of now encoded messages within the image file (Fridrich, Goljan, & Soukal, 2004). Again, though, it shouldn’t be confused with the idea of encryption, and under any form of proper analysis, these subtle details can easily be extrapolated and found.
Usage in Malware
"Nothing is more real than what cannot be seen." – Confucius
Now that we have a basic understanding of these three techniques, we can begin to break down their functions when they’re leveraged within malware. In this section, we will break down each now into its own set of capabilities and use cases, then compare and contrast them and understand how they function together.
Encryption in Malware
Encryption in malware is a ubiquitous technique that can protect operational security for threat actors while simultaneously disrupting and frustrating the defenders. The act of encryption leaves defenders with minimal options to understand or read executions and communications, leaving them stranded without advanced techniques and technologies in place to perform the decryption, if possible.
Command-and-Control (C2) Communications
One of the most common malware encryption functions is encrypting traffic to and from the C2 servers via the infected hosts. This ensures that threat actors can hide their intentions, at least initially, as they issue commands and exfiltrate data from the infected systems (Kushner, 2024).
One such method is to utilize HTTPS traffic for communication. This is highly effective, as unless the defenders can know the attacker’s infrastructure preemptively or have robust threat hunting capabilities, threat actors can easily blend into the noise of the vast amounts of internet traffic that traverses HTTPS on port 443/tcp.
The only realistic solution to catching this activity ‘on the wire’ is to have SSL inspection deployed, which can be a difficult hurdle for some organizations, as concerns with legal and regulatory compliance immediately come to mind, as well as potential exposure of the decrypted data itself, revealing sensitive information. This poses a strong ethical and legal challenge for organizations, which often choose not to leverage that capability for those very reasons. In this, threat actors exploit these mindsets and leverage encryption to its fullest while in transit.
Payload Protection
Threat actors will also leverage encryption to prevent analysis of their code from being reverse-engineered. To do this, malware payloads are encrypted and decrypted in memory during execution, which is a common evasion technique from standard anti-malware file scanning solutions.
There is also the use of crypters and packers, which are tools that compress and/or encrypt malware binaries. This process involves both encryption and obfuscation to avoid detection and interpretation of their contents (SentinelOne, n.d.).
To counteract these techniques, defenders must use advanced sandboxing technologies or memory forensics to break down the more intricate parts of the code that will only be decrypted during certain portions of malware’s execution.
As the Attack Vector
Encryption isn’t just a means of protecting the operational security of malware and threat actors; it can also be how threat actors attack systems. The proliferation of ransomware has become a commodity that has stood up actual criminal enterprises, illegitimate but functioning businesses that create, sell/distribute, and deploy ransomware as a business transaction. The goal of ransomware is to simply encrypt files and entire systems to disrupt confidentiality, integrity, and availability in one fell swoop when an attack is successful. By doing this, entire enterprises can stop in their tracks and can even have lasting impacts, including impacting the global economy (CloudFlare, n.d.).
Evasion
Finally, encryption’s functionality to evade detection by keeping known signatures hidden from sight is a common tactic threat actors use, as mentioned in previous use cases. The specific use case in and of itself is robust to stand on its own as a capability it is used for.
There is also room here to mention the use of custom encryption algorithms that threat actors develop to avoid cryptographic signature detection. Defensive tools privy to cryptographic capabilities can detect potentially suspicious activity related to malware leveraging encryption. To avoid this, more advanced threat actors have leveraged custom symmetric algorithms that can bypass both these detection capabilities and, in some cases, also disrupt manual cryptographic analysis due to their novel implementation.
Interestingly enough, there is also the use of legacy and obscure encryption capabilities that are either seldom used or depreciated in some way, which can bypass some detection tools simply because they aren’t looking for those forms since they are ‘not supposed to be used,’ essentially.
Encoding in Malware
Encoding, like encryption, has similar functionality for the use of concealment and evasion, but it isn’t designed to prevent the defenders from detecting or reading the data strictly. There are also use cases that use encoding for specific tactics to disrupt further a defender's ability to understand or grasp scope, function, and intent. It also serves as a legitimate function to make the malware lightweight, thus less detectable, with similar design concepts seen in modern applications.
Delivery
In delivery, malware utilizes encoding to bypass measures that would otherwise prevent it from getting onto target systems. Common examples include using Base64 to encode PowerShell-based malware, where commands are encoded to obfuscate the functionality of the code and only decoded during execution. Hexadecimal encoding converts binary data into hex strings to obfuscate payloads. ASCII armoring is a technique used to covert payloads into printable characters, effectively evading transmission filters like using HTTP to transmit shellcode (Lakshmanan, 2023).
Exploitation
When used in exploitation, encoding can be used to embed benign input fields or web forms to conduct activities like SQL Injection and Cross-Site Scripting. This also applies to the use of encoding PowerShell commands to bypass script execution restrictions, which is a common technique found in malicious macro-enabled Microsoft Office documents (Heath and Human Services, 2023). Additionally, encoding is leveraged to obfuscate the actual code of the malware when written in VBScript or .NET, making reverse engineering difficult and tedious.
Installation
Clever use of encoding during installation can be done primarily by establishing persistence and hiding payloads within the registry of Windows hosts. This evades file-based detection while ensuring that the registry can be queried later to extract and decode malware executions or establish persistence in an encoded manner (F-Secure, n.d.).
Command and Control (C2)
Encoding communications is a highly implemented use case, as when used in conjunction with encryption, data is rendered in a manner that makes it difficult, if not impossible, to interpret without advanced analysis techniques. Threat actors can leverage encoded HTTP headers or cookies to hide commands being issued. Steganography can also be used to hide commands or even exfiltrate data (Mathews, 2018). Finally, the use of encoding within DNS queries also allows for the bypassing of detection (Brumaghin, 2017).
Obfuscation in Malware
Obfuscation deliberately makes the code, script, or communications difficult to understand or analyze, both from the perspective of people and technology. Obfuscation specifically focuses on concealing intent and functionality, rather than transforming or securing data.
Evasion & Concealment
In this use case, obfuscation can be applied to hide code from both tools and analysts alike. Malware can leverage encryption to prevent using tools for detection, while avoiding humans from reading the actual executions. Another use case involves malware dynamically altering itself during replication or execution, thereby achieving a status known as polymorphism, making it difficult to track down over time due to the changes. There is a more advanced form known as metamorphism, which is where the malware rewrites its entire codebase while maintaining the same functionality. This achieves the ability to circumvent even static-level malware analysis (Perriot, Ször, & Ferrie).
Malware can also introduce obfuscation using encoding or just plain gibberish and garbage in the code itself, such as .NET or scripting languages that are more human-readable. By packing them with the equivalent of garbage and renaming variables in misleading or incoherent ways, you render the task of actually decoding and deobfuscating them a frustrating one to take on manually (Malwarebytes, n.d.).
A step further with code obfuscation is making the control flow incoherent, calling on functions that conduct meaningless activities which throw off or divert the attention of defenders who are analyzing the code (essentially using Red Herrings), or subsequently using chains of functions that could be simplified to a single line to achieve the process of slowly piecing together the actual intended code to execute.
Command and Control (C2)
Similar to encryption and encoding, obfuscation is used here to protect operational security but also to confuse and disorient defenders. Malware that beacons to multiple targets could cause defenders to block legitimate resources on the internet unintentionally and cause the distrust of further indicators of compromise (IOC) collection and containment activities.
Malware can also use obfuscation to disguise itself as normal-looking traffic via DNS or HTTPS, making it significantly more difficult to find and track due to the sheer volume of noise traditionally created on these services (Quequero, 2012).
Payload Delivery and Persistence
Using obfuscation to hide malware in normal-looking things is achieved confidently in payload delivery and persistence establishment. When being delivered, obfuscation will attempt to confuse or fool unsuspecting victims into clicking email links, downloading and executing attachments, and so on. Likewise, persistence would hide itself by obfuscating itself within registry keys and attempt to inject into normal-looking processes, and also live in memory and live off the land or using resources natively available to it to achieve its objectives as a means of thwarting detection (U.S. Government Accountability Office, 2021).
Comparative Analysis
So far, we have discussed each TTP's individual applications, and it is easy to begin formulating their functionalities and concepts.
Encryption
Encryption is effective at protecting operational security and can be applied to obfuscate. Without the keys to decrypt or the ability to view the data in a decrypted state, malware can leverage encryption to protect itself from observation of intent; however, encryption remains noisy, and while the data itself is protected from readability, the act of encrypting means that it can be detected on a system. Thus, the concept behind using encryption is primarily to protect information that the threat actors do not want defenders to know.
Encoding
Encoding is a strategy to simplify code, create lightweight applications, and attempt obfuscation. Because it can be reversed, encoding as a strategy for malware creators is either to use as a means to avoid ‘detection at first sight,’ meaning tools and analysts that do not go beyond the surface level (or don’t decode the data) won’t see the hidden activity, or to simply add layers of confusion and create difficulty during analysis to break apart the encoded data.
Obfuscation
The idea behind obfuscation is different than encryption and encoding because, unlike both, which are actual methods of techniques, obfuscation is a tactic, or a concept of some form of strategy, to achieve some outcome. The idea of obfuscation isn’t based on technology; rather, it is the application of whatever means (in this case, using technology) you have to distort, hide, or conceal intent and information. When we apply obfuscation, we are more concerned about the idea that we want to hide our presence and/or purpose, rather than, for instance, encryption, where we want to hide the data itself, not necessarily caring if we are found (in contrast, the idea encryption is used in malware at all suggests that there is a premise that eventually you will be found.)
Interlacing Capabilities
Combining two or all three concepts is a strategy most used by modern malware and exploit developers. When combining the techniques of encoding and encryption with the tactical intent of obfuscating, all three exist simultaneously in a manner that intends to completely exhaust and frustrate the layers of defenses enterprises have at the ready. However, the opposite tends to occur because it is both encrypted and encoded. Defenses have adapted to the notion that an attacker uses these to circumvent them; thus, it is relatively easy to find the strange encrypted and encoded file that lingers in someone’s email.
Application of the obfuscation tactic with encryption and encoding techniques takes nuance. It is based on operational experience and objectives by the malware author and the threat actor leveraging the malware.
With malware becoming ‘commercialized’ by being able to buy kits, packages, and other utilities that make it modular and work with a specific focus or intention in mind, these three concepts will evolve and integrate in various ways and layers. They often continue to compound themselves to hide, deceive, obscure, and deny defenders.
Recommendations and Conclusions
This research has attempted to, and with some success, I hope, clearly describe the differences between encryption, encoding, and obfuscation and how they intertwine when applied to malware usage.
With a focus on these concepts, there are many ways in which they intend to prevent defenders from effectively detecting and responding to them. However, all is not lost, and as we continue to grow our cybersecurity capabilities, we gain new opportunities to thwart threat actors and their use of them.
First, as much as a marketing buzzword it is, artificial intelligence presents itself as a viable option for deep data analysis. This can root out even the quietest malware conducting low and slow attacks on the network, even if it is encrypted. Likewise, with models trained on malware behavioral analysis, something a few vendors are already doing today, sandbox technologies can find obfuscated payloads more effectively and decode them much more quickly than human analysis can.
Another capability mentioned was SSL Inspection, which is still a hurdle many must overcome if they choose to do so. The use case might not be as strong, but it is an option for many organizations now that use certain vendors with the capability baked into their security platforms.
Still, despite all of this, some of the best preventative capabilities lie in proper user knowledge and training. Most threat actors still leverage social engineering laced with obfuscation techniques to fool our users, and all it takes is for one user to fall victim to fully compromise an enterprise. Taking the time to educate and reward users for their cyber hygiene is an important part of the overall cybersecurity risk management process and one that shouldn’t be taken lightly.
In conclusion, then, the differences between encryption, encoding, and obfuscation can be summarized as the ability to hide the data, make the data efficient, and overall deceive intent. Encryption and encoding are techniques implemented via technology, while obfuscation is a tactic or concept leveraged as part of a modus operandi to gain some form of impact (concealment and deception being the primary intents).
Likewise, they all share commonalities, and at the end of the day, are used interlaced in most advanced modern malware we see today. However, they are not infallible, and with the right level of people, processes, and technology implemented by the defenders, these concepts can be defeated, exposing the threat actors and their malware.
References
Asher-Dotan, L. (n.d.). What is the Conficker worm. Retrieved from maliciouslife by CyberReason: https://www.cybereason.com/blog/what-is-the-conficker-worm
Bair, J. (2017). Seeking the Truth from Mobile Evidence: Basic Fundamentals, Intermediate and Advanced Overview of Current Mobile Forensic Investigations 1st Edition. Academic Press.
Baker, K. (2023, February 28). The 12 Most Common Types of Malware. Retrieved from CrowdStrike: https://www.crowdstrike.com/cybersecurity-101/malware/types-of-malware/
Bernstein, D. J. (2009). Introduction to post-quantum cryptography. Chicago, IL: University of Illinois at Chicago.
Brooks, C. (2023, May 5). Cybersecurity Trends & Statistics; More Sophisticated And Persistent Threats So Far In 2023. Retrieved from Forbes: https://www.forbes.com/sites/chuckbrooks/2023/05/05/cybersecurity-trends--statistics-more-sophisticated-and-persistent-threats-so-far-in-2023/
Brumaghin, E. (2017, March 2). Covert Channels and Poor Decisions: The Tale of DNSMessenger. Retrieved from Cisco Talos: https://blog.talosintelligence.com/dnsmessenger/
CloudFlare. (n.d.). What was the WannaCry ransomware attack? Retrieved from CloudFlare: https://www.cloudflare.com/learning/security/ransomware/wannacry-ransomware/
EC-Council. (2018). Certified Ethical Hacker (CEH) Version 10 w/ iLabs (Volume 1: Ethical Hacking Concepts and Methodology). Albuquerque, NM: International Council of E-Commerce Consultants (EC Council).
EC-Council. (2018). Certified Ethical Hacker (CEH) Version 10 w/ iLabs (Volume 2: Ethical Hacking Concepts and Methodology). Albuquerque, NM: International Council of E-Commerce Consultants (EC Council).
Federation of American Scientists. (2020, November 27). The Intelligence Cycle. Retrieved from Federation of American Scientists: https://fas.org/irp/cia/product/facttell/intcycle.htm
Fridrich, J., Goljan, M., & Soukal, D. (2004). Searching for the Stego Key. Binghamton, NY: SUNY Binghamton.
F-Secure. (n.d.). Trojan:W32/Poweliks. Retrieved from F-Secure: https://www.f-secure.com/v-descs/trojan-w32-poweliks.shtml
GCHQ. (n.d.). CyberChef. Retrieved from GCHQ Github: https://gchq.github.io
Heath and Human Services. (2023, November 16). Emotet Malware: The Enduring and Persistent Threat to the Health Sector. Retrieved from HHS: https://www.hhs.gov/sites/default/files/emotet-the-enduring-and-persistent-threat-to-the-hph-tlpclear.pdf
Henderson, T. (2014, April 17). Ancient Computer Character Code Tables - and Why They're Still Relevant. Retrieved from SmartBear: https://web.archive.org/web/20140430000312/http://blog.smartbear.com/development/ancient-computer-character-code-tables-and-why-theyre-still-relevant/
History of the Enigma. (n.d.). Retrieved from Crypto Museum: https://www.cryptomuseum.com/crypto/enigma/hist.htm
Hutchins, E. M., Cloppert, M. J., & Amin, R. M. (2011). Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains. Lockheed Martin.
Kerner, S. M. (2024, January 3). Ransomware trends, statistics and facts heading into 2024. Retrieved from TechTarget Security: https://www.techtarget.com/searchsecurity/feature/Ransomware-trends-statistics-and-facts
Kumar, A. (2024, June 27). Caesar Cipher in Cryptography. Retrieved from Geeks for Geeks: https://www.geeksforgeeks.org/caesar-cipher-in-cryptography/#
Kushner, D. (2024, May 24). The Real Story of Stuxnet. Retrieved from IEEE Spectrum: https://spectrum.ieee.org/the-real-story-of-stuxnet
Lakshmanan, R. (2023, February 9). Gootkit Malware Adopts New Tactics to Attack Healthcare and Finance Firms. Retrieved from The Hacker News: https://thehackernews.com/2023/02/gootkit-malware-adopts-new-tactics-to.html
Malwarebytes. (n.d.). Trickbot. Retrieved from Malwarebtypes: https://www.malwarebytes.com/trickbot
Mathews, L. (2018, December 18). Cybercriminals Are Controlling Malware Through Twitter Memes. Retrieved from Forbes: https://www.forbes.com/sites/leemathews/2018/12/18/cybercriminals-hide-malware-commands-twitter-memes/?sh=1d44b9ee7abe
Perriot, F., Ször, P., & Ferrie, P. (n.d.). Striking Similarities: Win32/Simile and Metamorphic Virus Code. Cupertino, CA: Symantic. Retrieved from Symantec Security Response.
Quequero. (2012, March 16). DarkComet analysis – Understanding the Trojan used in Syrian uprising. Retrieved from InfoSec Institute: https://www.infosecinstitute.com/resources/malware-analysis/darkcomet-analysis-syria/
Rivest, R., Shamir, A., & Adleman, L. (1977). A Method for Obtaining Digital Signatures and Public-Key Cryptosystems. Cambridge, MA: Massachusetts Institute of Technology.
Rudolph, H. C., & Grundmann, N. (2021, February 28). Cipher Suites. Retrieved from Ciphersuite: https://ciphersuite.info/cs/?tls=tls12
SentinelOne. (n.d.). LockBit 3.0 (LockBit Black). Retrieved from Sentinel One Anthology: https://www.sentinelone.com/anthology/lockbit-3-0-lockbit-black/
Sheldon, R., Loshin, P., & Cobb, M. (n.d.). encryption. Retrieved from TechTarget: https://www.techtarget.com/searchsecurity/definition/encryption
Sirohi, D. M. (2015). Cyber Terrorism and Information Warfare. New Delhi, India: Vij Books India Private Limited.
U.S. Government Accountability Office. (2021, April 22). SolarWinds Cyberattack Demands Significant Federal and Private-Sector Response. Retrieved from GAO: https://www.gao.gov/blog/solarwinds-cyberattack-demands-significant-federal-and-private-sector-response-infographic
Unit 42, Palo Alto Networks. (2024). 2024 Incident Response Report. Santa Calra, CA: Palo Alto Networks.
Verizon Business. (2024). 2024 Data Breach Investigations Report. Verizon.
Weisstein, E. W. (2005, November 8). RSA-640 Factored. Retrieved from Wolfram MathWorld: https://mathworld.wolfram.com/news/2005-11-08/rsa-640/
Enjoy reading our content? Consider Sharing this post and Supporting Us!
