Masquerading: Masquerade File Type
Other sub-techniques of Masquerading (10)
Adversaries may masquerade malicious payloads as legitimate files through changes to the payload's formatting, including the file’s signature, extension, and contents. Various file types have a typical standard format, including how they are encoded and organized. For example, a file’s signature (also known as header or magic bytes) is the beginning bytes of a file and is often used to identify the file’s type. For example, the header of a JPEG file, is 0xFF 0xD8 and the file extension is either `.JPE`, `.JPEG` or `.JPG`.
Adversaries may edit the header’s hex code and/or the file extension of a malicious payload in order to bypass file validation checks and/or input sanitization. This behavior is commonly used when payload files are transferred (e.g., Ingress Tool Transfer) and stored (e.g., Upload Malware) so that adversaries may move their malware without triggering detections.
Common non-executable file types and extensions, such as text files (`.txt`) and image files (`.jpg`, `.gif`, etc.) may be typically treated as benign. Based on this, adversaries may use a file extension to disguise malware, such as naming a PHP backdoor code with a file name of test.gif. A user may not know that a file is malicious due to the benign appearance and file extension.
Polygot files, which are files that have multiple different file types and that function differently based on the application that will execute them, may also be used to disguise malicious malware and capabilities.(Citation: polygot_icedID)
Примеры процедур |
|
| Название | Описание |
|---|---|
|
During the 2016 Ukraine Electric Power Attack, Sandworm Team masqueraded executables as `.txt` files.(Citation: Dragos Crashoverride 2018) |
|
|
During Operation Dream Job, Lazarus Group disguised malicious template files as JPEG files to avoid detection.(Citation: McAfee Lazarus Jul 2020)(Citation: ESET Lazarus Jun 2020) |
|
| Volt Typhoon |
Volt Typhoon has appended copies of the ntds.dit database with a .gif file extension.(Citation: Secureworks BRONZE SILHOUETTE May 2023) |
| QakBot |
The QakBot payload has been disguised as a PNG file and hidden within LNK files using a Microsoft File Explorer icon.(Citation: Group IB Ransomware September 2020)(Citation: Trend Micro Black Basta October 2022) |
| Raspberry Robin |
Raspberry Robin has historically been delivered via infected USB drives containing a malicious LNK object masquerading as a legitimate folder.(Citation: RedCanary RaspberryRobin 2022) |
| ANDROMEDA |
ANDROMEDA has been delivered through a LNK file disguised as a folder.(Citation: Mandiant Suspected Turla Campaign February 2023) |
| Brute Ratel C4 |
Brute Ratel C4 has used Microsoft Word icons to hide malicious LNK files.(Citation: Palo Alto Brute Ratel July 2022) |
| AvosLocker |
AvosLocker has been disguised as a .jpg file.(Citation: Trend Micro AvosLocker Apr 2022) |
| OSX_OCEANLOTUS.D |
OSX_OCEANLOTUS.D has disguised it's true file structure as an application bundle by adding special characters to the filename and using the icon for legitimate Word documents.(Citation: Trend Micro MacOS Backdoor November 2020) |
Контрмеры |
|
| Контрмера | Описание |
|---|---|
| Behavior Prevention on Endpoint |
Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior. |
| Antivirus/Antimalware |
Use signatures or heuristics to detect malicious software. |
| Execution Prevention |
Block execution of code on a system through application control, and/or script blocking. |
Ссылки
- Lim, M. (2022, September 27). More Than Meets the Eye: Exposing a Polyglot File That Delivers IcedID. Retrieved September 29, 2022.
- Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.
- Cashman, M. (2020, July 29). Operation North Star Campaign. Retrieved December 20, 2021.
- Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021.
- Counter Threat Unit Research Team. (2023, May 24). Chinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S. Government and Defense Organizations. Retrieved July 27, 2023.
- Li, V. (2019, October 2). Polyglot Files: a Hacker’s best friend. Retrieved September 27, 2022.
- Kessler, G. (2022, December 9). GCK'S FILE SIGNATURES TABLE. Retrieved August 23, 2022.
- Kenefick, I. et al. (2022, October 12). Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike. Retrieved February 6, 2023.
- Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021.
- Lauren Podber and Stef Rand. (2022, May 5). Raspberry Robin gets the worm early. Retrieved May 17, 2024.
- YesWeRHackers. (2021, June 16). File Upload Attacks (Part 2). Retrieved August 23, 2022.
- Hawley, S. et al. (2023, February 2). Turla: A Galaxy of Opportunity. Retrieved May 15, 2023.
- Harbison, M. and Renals, P. (2022, July 5). When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. Retrieved February 1, 2023.
- Trend Micro Research. (2022, April 4). Ransomware Spotlight AvosLocker. Retrieved January 11, 2023.
- Magisa, L. (2020, November 27). New MacOS Backdoor Connected to OceanLotus Surfaces. Retrieved December 2, 2020.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.