1. Home
  2. Techniques
  3. Enterprise
  4. Masquerading
  5. Masquerade File Type

Masquerading: Masquerade File Type

ID Name
T1036.001 Invalid Code Signature
T1036.002 Right-to-Left Override
T1036.003 Rename System Utilities
T1036.004 Masquerade Task or Service
T1036.005 Match Legitimate Name or Location
T1036.006 Space after Filename
T1036.007 Double File Extension
T1036.008 Masquerade File Type
T1036.009 Break Process Trees

Adversaries may masquerade malicious payloads as legitimate files through changes to the payload's formatting, including the file’s signature, extension, and contents. Various file types have a typical standard format, including how they are encoded and organized. For example, a file’s signature (also known as header or magic bytes) is the beginning bytes of a file and is often used to identify the file’s type. For example, the header of a JPEG file, is 0xFF 0xD8 and the file extension is either .JPE, .JPEG or .JPG.

Adversaries may edit the header’s hex code and/or the file extension of a malicious payload in order to bypass file validation checks and/or input sanitization. This behavior is commonly used when payload files are transferred (e.g., Ingress Tool Transfer) and stored (e.g., Upload Malware) so that adversaries may move their malware without triggering detections.

Common non-executable file types and extensions, such as text files (.txt) and image files (.jpg, .gif, etc.) may be typically treated as benign. Based on this, adversaries may use a file extension to disguise malware, such as naming a PHP backdoor code with a file name of test.gif. A user may not know that a file is malicious due to the benign appearance and file extension.

Polygot files, which are files that have multiple different file types and that function differently based on the application that will execute them, may also be used to disguise malicious malware and capabilities.[1]

ID: T1036.008
Sub-technique of:  T1036
Tactic: Defense Evasion
Platforms: Linux, Windows, macOS
Contributors: Ben Smith, @ezaspy; CrowdStrike Falcon OverWatch
Version: 1.0
Created: 08 March 2023
Last Modified: 14 June 2023
Version Permalink

Procedure Examples

ID Name Description
C0025 2016 Ukraine Electric Power Attack

During the 2016 Ukraine Electric Power Attack, Sandworm Team masqueraded executables as .txt files.[2]
S1074 ANDROMEDA

ANDROMEDA has been delivered through a LNK file disguised as a folder.[3]
S1053 AvosLocker

AvosLocker has been disguised as a .jpg file.[4]
S1063 Brute Ratel C4

Brute Ratel C4 has used Microsoft Word icons to hide malicious LNK files.[5]
C0022 Operation Dream Job

During Operation Dream Job, Lazarus Group disguised malicious template files as JPEG files to avoid detection.[6][7]
S0352 OSX_OCEANLOTUS.D

OSX_OCEANLOTUS.D has disguised it's true file structure as an application bundle by adding special characters to the filename and using the icon for legitimate Word documents.[8]
S0650 QakBot

The QakBot payload has been disguised as a PNG file and hidden within LNK files using a Microsoft File Explorer icon.[9][10]
G1017 Volt Typhoon

Volt Typhoon has appended copies of the ntds.dit database with a .gif file extension.[11]

Mitigations

ID Mitigation Description
M1049 Antivirus/Antimalware

Anti-virus can be used to automatically quarantine suspicious files.

M1040 Behavior Prevention on Endpoint

Implement security controls on the endpoint, such as a Host Intrusion Prevention System (HIPS), to identify and prevent execution of files with mismatching file signatures.
M1038 Execution Prevention

Ensure that input sanitization is performed and that files are validated properly before execution; furthermore, implement a strict allow list to ensure that only authorized file types are processed.[12] Restrict and/or block execution of files where headers and extensions do not match.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor for abnormal command execution from otherwise non-executable file types (such as .txt and .jpg).

DS0022 File File Modification

Check and ensure that file headers/signature and extensions match using magic bytes detection and/or file signature validation.[13] In Linux, the file command may be used to check the file signature.[14]

References

  1. Lim, M. (2022, September 27). More Than Meets the Eye: Exposing a Polyglot File That Delivers IcedID. Retrieved September 29, 2022.
  2. Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.
  3. Hawley, S. et al. (2023, February 2). Turla: A Galaxy of Opportunity. Retrieved May 15, 2023.
  4. Trend Micro Research. (2022, April 4). Ransomware Spotlight AvosLocker. Retrieved January 11, 2023.
  5. Harbison, M. and Renals, P. (2022, July 5). When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. Retrieved February 1, 2023.
  6. Cashman, M. (2020, July 29). Operation North Star Campaign. Retrieved December 20, 2021.
  7. Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021.
  1. Magisa, L. (2020, November 27). New MacOS Backdoor Connected to OceanLotus Surfaces. Retrieved December 2, 2020.
  2. Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021.
  3. Kenefick, I. et al. (2022, October 12). Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike. Retrieved February 6, 2023.
  4. Counter Threat Unit Research Team. (2023, May 24). Chinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S. Government and Defense Organizations. Retrieved July 27, 2023.
  5. YesWeRHackers. (2021, June 16). File Upload Attacks (Part 2). Retrieved August 23, 2022.
  6. Li, V. (2019, October 2). Polyglot Files: a Hacker’s best friend. Retrieved September 27, 2022.
  7. Kessler, G. (2022, December 9). GCK'S FILE SIGNATURES TABLE. Retrieved August 23, 2022.