Adversaries may masquerade malicious payloads as legitimate files through changes to the payload's formatting, including the file’s signature, extension, icon, and contents. Various file types have a typical standard format, including how they are encoded and organized. For example, a file’s signature (also known as header or magic bytes) is the beginning bytes of a file and is often used to identify the file’s type. For example, the header of a JPEG file, is 0xFF 0xD8 and the file extension is either .JPE, .JPEG or .JPG.
Adversaries may edit the header’s hex code and/or the file extension of a malicious payload in order to bypass file validation checks and/or input sanitization. This behavior is commonly used when payload files are transferred (e.g., Ingress Tool Transfer) and stored (e.g., Upload Malware) so that adversaries may move their malware without triggering detections.
Common non-executable file types and extensions, such as text files (.txt) and image files (.jpg, .gif, etc.) may be typically treated as benign. Based on this, adversaries may use a file extension to disguise malware, such as naming a PHP backdoor code with a file name of test.gif. A user may not know that a file is malicious due to the benign appearance and file extension.
Polyglot files, which are files that have multiple different file types and that function differently based on the application that will execute them, may also be used to disguise malicious malware and capabilities.[1]
| ID | Name | Description |
|---|---|---|
| C0025 | 2016 Ukraine Electric Power Attack |
During the 2016 Ukraine Electric Power Attack, Sandworm Team masqueraded executables as |
| S1074 | ANDROMEDA |
ANDROMEDA has been delivered through a LNK file disguised as a folder.[3] |
| S1053 | AvosLocker |
AvosLocker has been disguised as a .jpg file.[4] |
| G1043 | BlackByte |
BlackByte masqueraded configuration files containing encryption keys as PNG files.[5] |
| S1063 | Brute Ratel C4 |
Brute Ratel C4 has used Microsoft Word icons to hide malicious LNK files.[6] |
| S1190 | Kapeka |
Kapeka masquerades as a Microsoft Word Add-In file, with the extension |
| S1213 | Lumma Stealer |
Lumma Stealer has used payloads that resemble benign file extensions such as .mp3, .accdb, and .pub, though the files contained malicious JavaScript content.[9] |
| S1182 | MagicRAT |
MagicRAT can download additional executable payloads that masquerade as GIF files.[10] |
| G0129 | Mustang Panda |
Mustang Panda has masqueraded malicious executables as legitimate files that download PlugX malware.[11][12] |
| C0022 | Operation Dream Job |
During Operation Dream Job, Lazarus Group disguised malicious template files as JPEG files to avoid detection.[13][14] |
| S0352 | OSX_OCEANLOTUS.D |
OSX_OCEANLOTUS.D has disguised it's true file structure as an application bundle by adding special characters to the filename and using the icon for legitimate Word documents.[15] |
| S0650 | QakBot |
The QakBot payload has been disguised as a PNG file and hidden within LNK files using a Microsoft File Explorer icon.[16][17] |
| S1130 | Raspberry Robin |
Raspberry Robin has historically been delivered via infected USB drives containing a malicious LNK object masquerading as a legitimate folder.[18] |
| S1238 | STATICPLUGIN |
STATICPLUGIN has masqueraded as a BMP file to hide its true MSI file extension.[19] |
| S1183 | StrelaStealer |
StrelaStealer has been distributed as a DLL/HTML polyglot file.[20][21] |
| G1017 | Volt Typhoon |
Volt Typhoon has appended copies of the ntds.dit database with a .gif file extension.[22] |
| ID | Mitigation | Description |
|---|---|---|
| M1049 | Antivirus/Antimalware |
Anti-virus can be used to automatically quarantine suspicious files. |
| M1040 | Behavior Prevention on Endpoint |
Implement security controls on the endpoint, such as a Host Intrusion Prevention System (HIPS), to identify and prevent execution of files with mismatching file signatures. |
| M1038 | Execution Prevention |
Ensure that input sanitization is performed and that files are validated properly before execution; furthermore, implement a strict allow list to ensure that only authorized file types are processed.[23] Restrict and/or block execution of files where headers and extensions do not match. |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0226 | Detection Strategy for Masquerading via File Type Modification | AN0630 |
Detects behavior where files with non-executable or misleading extensions (e.g., .jpg, .txt) are created or modified but subsequently executed as binaries based on internal file headers or abnormal parent process lineage. This includes identifying polyglot files or malformed magic bytes indicative of masquerading attempts. |
| AN0631 |
Detects when a script or binary is named with misleading or benign-looking extensions (.jpg, .doc) and is then executed via command line or a scheduled task. Includes ELF header mismatches and content-type inconsistencies on disk. |
||
| AN0632 |
Detects binaries disguised as media or document types through extension-only masquerading or by modifying the file signature. Observes execution of files whose extension is not typically executable (.jpg, .txt), yet have valid Mach-O headers or execute via Terminal or launch services. |