Masquerading Attacks Explained - MITRE ATT&CK T1036

Keep up to date with latest blog posts

Masquerading is an adversary technique to alter the features of their malicious artifacts with legitimate and trusted ones. Code signatures, names, locations of malware, task names, and services are examples of these features. After masquerading, malicious artifacts such as malware files appear legitimate to users and security controls.

This blog explains the T1036 Masquerading technique of the MITRE ATT&CK®  framework, the eighth technique in the Top 10 MITRE ATT&CK techniques list.

Download the Red Report - Top Ten MITRE ATT&CK Techniques

Masqueraded Objects

We can classify masqueraded objects for defense evasion in four categories:

1. Masquerading File Extensions

This adversary behavior involves tricking a user or an application into opening a file that seems like a benign file type because of its apparent extension. Therefore, the extension perceived by users does not reflect the file’s actual extension. The following sub-techniques of the masquerading technique include masquerading extensions:

  • T1036.002 Right-to-Left Override
  • T1036.006 Space after Filename
  •  T1036.007 Double File Extension
    2. Masquerading Names

Attackers may change:

  • names of malicious files with the names of legitimate and trusted applications, such as "flash_en.exe" (T1036.005 Match Legitimate Name or Location)

  • names of legitimate system utilities before using them since some security tools monitor these built-in system utilities to detect their suspicious use (T1036.003 Rename System Utilities Rename)

  • names of tasks or services with names of legitimate tasks or services to make it appear benign and avoid detection (T1036.004 Masquerade Task or Service).

3. Masquerading File Locations


Adversaries may masquerade file locations by:

  • placing malicious files in trusted directories such as "C:\Windows\System32" to evade defenses. 

  • creating directories that are similar to the directories used by known software, such as "C:\Intel\"

  • changing the malware's whole path, including the directory and file name, such as "C:\NVIDIA\NvDaemon.exe"

These methods are categorized under the T1036.005 Match Legitimate Name or Location sub-technique. 

4.Masquerading File Signatures 

Adversaries copy valid and signed programs’ code signature and metadata information and use it in their malware to evade defenses (T1036.001 Invalid Code Signature).

Masquerading Sub-techniques

T1036.001 Invalid Code Signature

Code signing is the method of digitally signing executables to verify the author of the executable and guarantee that the integrity of the executable is intact. In this sub-technique, cyber threat actors copy the metadata and code signature information of signed files to their malware.

Adversary Use:

Since a code signature can only be valid for a specific program, it would not be valid for any other program. Therefore, unlike the T1553 Subvert Trust Controls technique [1], the cloning of the code signature does not result in a valid signature. The code signature cloning may trick users and security controls; they cannot  get through digital signature validation. Adversaries use the following tools for this technique:

  • MetaTwin: This tool can copy metadata and AuthentiCode signature from a file and inject it into another [2]. 

  • Resource Hacker: MetaTwin uses this tool to extract the resources of a legitimate binary [3].

  • SigThief : MetaTwin uses this tool to extract the digital signature information of the legitimate binary [4]. Then, MetaTwin transfers the extracted metadata and digital signature information to a target binary.

T1036.002 Right-to-Left Override

Right-to-Left Override (RTLO or RLO) character can display the text that follows it in right-to-left order. It is a non-printing Unicode character (U+202E). The RTLO character is used to display the text in reverse order for languages written from right-to-left.

For example, the file name "bank_statementU+202Etxt.exe" will appear on the screen as "bank_statementexe.txt". Users may think that the file is a text file, but it is an executable file. Note that this operation only affects the visual appearance of the file name, and the actual file name still has the extension ".exe".

Adversary Use:

Adversaries use RTLO Override to trick users into opening malware files by showing the file extension as a benign extension instead of an executable. This technique is commonly used with the T1204 User Execution technique [5] and T1566.001 Spearphishing Attachment technique [6]. Some examples of abuse of right-to-left override by malware and APT groups are:

  • Etumbot backdoor: This malware leverages the RTLO technique with convincing icons for PDF or Microsoft Office documents to trick users into clicking and executing the malware file delivered via spearphishing [7].

  • APT group: A threat group used the RTLO attack technique to disguise an SCR (Windows screensaver) malware as a document file [8]. 

  • Telegram abuse: Attackers used this attack technique attack to trick Telegram users by changing the displayed file extension [9].

  • Sirefef: Thai malware uses the RTLO technique and creates entries in the registry that appear legitimate Google update entries [10]. 

T1036.003 Rename System Utilities

Adversaries frequently abuse built-in Windows system utilities to bypass defensive security controls. cmd.exe, certutil.exe, and rundll32.exe are some of the commonly misused utilities. Since adversaries use these system utilities more frequently, security controls may track them to detect suspicious activity.

Adversary Use:

  • Operation Soft Cell: In this attack campaign, the threat actors changed  the name of the cmd.exe to cdm.exe [11]. 

  • Korplug: This malware uses a renamed certutil.exe - msoia.exe to decode the CAB file [12].

T1036.004 Masquerade Task or Service

Attackers use operating systems' task and service functionalities to facilitate the initial or recurring execution of their malicious code [13] [14]. Security controls can be set to detect custom-named tools and services quickly. Therefore, adversaries change the name of their malicious  task/service with the name of a legitimate task/service to appear legitimate and evade detection.

Adversary Use:

Adversaries often use identical or similar names of legitimate tasks/services executed by Windows services, Linux systemd services, the Windows Task Scheduler, and at (Linux and Windows).

  • ComRAT: This installer malware creates a registry  named WSqmCons to appear as associated with Windows SQM Consolidator [15]. 

  • Fin7:The APT group establishes persistence using scheduled tasks named AdobeFlashSync [16]. 

  • Disttrack: The Disttrack wiper malware creates a service named ntssrv, with a display name of "Microsoft Network Realtime Inspection Service" and a description of "Helps guard against time change attempts targeting known and newly discovered vulnerabilities in network time protocols" [17].

T1036.005 Match Legitimate Name or Location

Attackers may match the names or locations of their artifacts to those of legitimate files to evade defensive security controls.

Adversary Use:

  • Tropic Trooper: This cyberespionage group places its USBferry malware in the "%USERPROFILE%\Documents\Flash\" folder and changes its name to "flash_en.exe" [18]. 

  • Operation In(ter)ception: In this cyberespionage campaign, threat actors disguised their files and folders by naming them similar to known software and companies, such as "C:\Intel\IntelV.cgi" [19].

  • Pony Trojan: This malware used a well-known Adobe Reader icon and security as the filename to look trustworthy [20].

T1036.006 Space after Filename

Adding a space to the end of a filename in macOS modifies how the operating system handles the file. If an executable Mach-O file is called "trojan.txt", it will open with the text editing program when double-clicked by a user. So, the executable will not run properly. However, if the file is renamed "trojan.txt " (note the space added at the end), macOS considers this file as executable and executes the binary when a user double-clicks it.

Adversary Use:

  • OSX / Keydnap backdoor: This malware was distributed in a zip archive file that contains a binary named "screenshot.jpg " [21]. Since the filename contains a space character at its end, it would be executed by the Terminal.app. When a user double-clicks it, the Keydnap backdoor malware is executed.

T1036.007 Double File Extension

A file name may contain a secondary file type extension, resulting in the display of only the first extension. Although "filename.txt.exe" may appear as "filename.txt" in some views, the second extension is the actual file type, which specifies how the file is opened and executed. Thus, adversaries leverage a double extension in the filename to masquerade the actual file type [22].

In Microsoft Windows operating systems, there is a default setting for "Hide file extensions for known file types." Malware authors abuse this feature to trick unsuspecting users into downloading files that appear to be legitimate but are dangerous executables. 

Adversary Use:

Typically, common file types such as text and document files (e.g. .txt, .doc, .pdf) and image files (e.g., .jpg, .png, .gif) are used as the first extension to make the file appear benign. Dangerous executable extensions (e.g., .exe, .vbs, .com, .ps1, .dat, .hta, .htm, .js) frequently appear as the second extension and true file type. These files frequently masquerade as email attachments.

Some examples are:

  • FIN7 APT group: They used a ZIP file as the spearphishing attachment in 2021 [23]. By double-clicking the email's attachment, the ZIP archive is decompressed, and a file with a long filename and a double extension (.txt.js) is opened. However, Windows hides .js by default, and the victim sees filename.txt. When the victim double-clicks the file, the JavaScript code is executed by the Windows Script Host.

  • Avaddon ransomware loader: This malware is sent as a double extension attachment (.jpg.js) in spearphishing emails, tricking the victim into thinking an image was leaked online and sent to them [24].

Adversaries also leverage the double-file extension technique where a web application extracts file extensions by looking for the "." (dot) character in the filename and extracting the string after the dot character. This technique can be used to bypass a file extension blocklist. For example, when ".jpg" is permitted in Apache, a PHP file may be executed using the double extension technique, such as "file.php.jpg" [25].

  • Drupal had a double extension vulnerability (CVE-2020-13671). Adversaries add a second file extension to a malicious file, allowing them to upload it to a Drupal site and execute the payload [26]. For example, a malicious file named malware.php could be renamed "malware.php.txt". When uploaded to a Drupal site, the file is classified as a text file rather than a PHP file, but it executes the malicious PHP code when Drupal attempts to read the text file.

References

[1]   “Subvert Trust Controls: Code Signing, Sub-technique T1553.002 - Enterprise | MITRE ATT&CK®.” https://attack.mitre.org/techniques/T1553/002/.

[2]   threatexpress, “threatexpress/metatwin,” GitHub. https://github.com/threatexpress/metatwin.

[3]   “Resource Hacker.” http://angusj.com/resourcehacker/.

[4]   secretsquirrel, “secretsquirrel/SigThief,” GitHub. https://github.com/secretsquirrel/SigThief.

[5]   “User Execution: Malicious File, Sub-technique T1204.002 - Enterprise | MITRE ATT&CK®.” https://attack.mitre.org/techniques/T1204/002/.

[6]   “Phishing: Spearphishing Attachment, Sub-technique T1566.001 - Enterprise | MITRE ATT&CK®.” https://attack.mitre.org/techniques/T1566/001/.

[7]   ASERT, “Illuminating the Etumbot APT Backdoor,” Jun-2014. https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/ASERT-Threat-Intelligence-Brief-2014-07-Illuminating-Etumbot-APT.pdf.

[8]   “Threat Actor Groups use COVID-19 pandemic theme – Red Alert.” https://redalert.nshc.net/2020/04/16/threat-actor-groups-use-covid-19-pandemic-theme/.

[9]   A. Firsh, “Zero-day vulnerability in Telegram.” https://securelist.com/zero-day-vulnerability-in-telegram/83800/.

[10]   “Sirefef Malware Found Using Unicode Right-to-Left Override Technique.” https://threatpost.com/sirefef-malware-found-using-unicode-right-to-left-override-technique/102033/.

[11]   “Virus Bulletin :: VB2019 paper: Operation Soft Cell – a worldwide campaign against telecommunication providers.” https://www.virusbulletin.com/virusbulletin/2019/12/vb2019-paper-operation-soft-cell-worldwide-campaign-against-telecommunication-providers/.

[12]   “COVID-19 Ongoing Cyber Updates.” https://blog.cyberint.com/covid-19-ongoing-cyber-updates.

[13]   “Scheduled Task/Job: Scheduled Task, Sub-technique T1053.005 - Enterprise | MITRE ATT&CK®.” https://attack.mitre.org/techniques/T1053/005/.

[14]   “Create or Modify System Process: Windows Service, Sub-technique T1543.003 - Enterprise | MITRE ATT&CK®.” https://attack.mitre.org/techniques/T1543/003/.

[15]   M. Faou, “From Agent.BTZ to ComRAT v4.” https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf.

[16]   M. Gorelik, “FIN7 Takes Another Bite at the Restaurant Industry.” https://blog.morphisec.com/fin7-attacks-restaurant-industry.

[17]   R. Falcone, “Shamoon 2: Return of the Disttrack Wiper,” Unit42, 30-Nov-2016. https://unit42.paloaltonetworks.com/unit42-shamoon-2-return-disttrack-wiper/.

[18]   J. Chen, “Tropic Trooper’s Back: USBferry Attack Targets Air-gapped Environments.” https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf.

[19]   D. Breitenbacher and K. Osis, “Operation In(ter)ception: Aerospace and military companies in the crosshairs of cyberspies | WeLiveSecurity,” WeLiveSecurity, 17-Jun-2020. https://www.welivesecurity.com/2020/06/17/operation-interception-aerospace-military-companies-cyberspies/.

[20]   hasherezade, “No money, but Pony! From a mail to a trojan horse - Malwarebytes Labs,” Malwarebytes Labs, 19-Nov-2015. https://blog.malwarebytes.com/threat-analysis/2015/11/no-money-but-pony-from-a-mail-to-a-trojan-horse/.

[21]   “Mac Malware of 2016 | Synack Blog,” Synack. https://www.synack.com/blog/mac-malware-2016/.

[22]   “Masquerading: Double File Extension.” https://attack.mitre.org/techniques/T1036/007/.

[23]   Cyber Intel Unit, “Cybercriminal Group FIN7 Suspected Of Recon Campaign,” 29-Sep-2021. https://blogs.infoblox.com/cyber-threat-intelligence/cyber-campaign-briefs/likely-fin7-recon-campaign/.

[24]   C. Nocturnus, “Cybereason vs. Avaddon Ransomware.” https://www.cybereason.com/blog/cybereason-vs.-avaddon-ransomware.

[25]   “Unrestricted File Upload.” https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload.

[26]   “CVE-2020-13671: Exploiting Drupal double extension vulnerability,” 20-Nov-2020. https://www.iicybersecurity.com/cve-2020-13671-exploiting-drupal-double-extension-vulnerability.html.

Subscribe

Keep up to date with latest blog posts