Masquerading Attacks Explained - MITRE ATT&CK T1036

The Blue Report 2024

Get a comprehensive analysis of over 136 million cyber attacks and understand the state of threat exposure management.

DOWNLOAD

Masquerading is an adversary technique to alter the features of their malicious artifacts to appear as legitimate and trusted ones. Code signatures, names, locations of malware, task names, and services are examples of these features. After masquerading, malicious artifacts such as malware files appear legitimate to users and security controls.

In this blog, we explain the T1036 Masquerading technique of the MITRE ATT&CK® framework and how adversaries employ its sub-techniques in attack campaigns in detail.

Download the Red Report - Top Ten MITRE ATT&CK Techniques

Masqueraded Objects

Masquerading File Extensions

This adversary behavior involves tricking a user or an application into opening a file that seems like a benign file type because of its apparent extension. Therefore, the extension perceived by users does not reflect the file's actual extension. The following sub-techniques of the masquerading technique include masquerading extensions:

  • T1036.002 Right-to-Left Override

  • T1036.006 Space after Filename

  • T1036.007 Double File Extension

  • T1036.008 Masquerade File Type

Masquerading Names

Attackers may change

  • names of malicious files with the names of legitimate and trusted applications, such as "svchost.exe".
  • T1036.005 Match Legitimate Name or Location
  • names of legitimate system utilities before using them since some security tools monitor these built-in system utilities to detect their suspicious use.
  • T1036.003 Rename System Utilities
  • names of tasks or services with names of legitimate tasks or services to make it appear benign and avoid detection 
  • T1036.004 Masquerade Task or Service

Masquerading File Locations

Adversaries may masquerade file locations by:

  • placing malicious files in trusted directories such as "C:\Windows\System32" to evade defenses. 
  • creating directories that are similar to the directories used by known software, such as "C:\Intel\"
  • changing the malware's whole path, including the directory and file name, such as "C:\NVIDIA\NvDaemon.exe"

These methods are categorized under the T1036.005 Match Legitimate Name or Location sub-technique. 

Masquerading File Signatures 

Adversaries use the T1036.001 Invalid Code Signature technique to copy valid and signed programs' code signature and metadata information. This technique allows malware to evade signature-based defenses.

Masquerading Execution Process

Adversaries use the T1036.009 Break Process Trees technique to modify the executed malware's parent process ID. This technique allows adversaries to evade process tree-based detection controls by breaking the relationship between parent and child processes.

Sub-techniques of T1036 Masquerading

T1036.001 Invalid Code Signature

Code signing is the method of digitally signing executables to verify the author of the executable and guarantee that the integrity of the executable is intact. In this sub-technique, cyber threat actors copy the metadata and code signature information of signed files to their malware.

Since a code signature can only be valid for a specific program, it would not be valid for any other program. Therefore, unlike the T1553 Subvert Trust Controls technique [1], the cloning of the code signature does not result in a valid signature. The code signature cloning may trick users and security controls; they cannot get through digital signature validation. 

Adversaries use the following tools for this technique:

  • MetaTwin: This tool can copy metadata and AuthentiCode signature from a file and inject it into another [2]. 
  • Resource Hacker: MetaTwin uses this tool to extract the resources of a legitimate binary [3].
  • SigThief: MetaTwin uses this tool to extract the digital signature information of the legitimate binary [4]. Then, MetaTwin transfers the extracted metadata and digital signature information to a target binary.

In March 2023, UNC4736 was able to sign a trojanized version of the 3CX Desktop app in a supply chain attack [5]. Adversaries used SigFlip, a tool designed for patching authenticode signed PE files, to inject their malicious payload into the legitimate application [6]. Since SigFlip does not affect or break existing authentication signatures, adversaries were able to deceive unsuspecting users into downloading the trojanized 3CX Desktop app from the official website.

T1036.002 Right-to-Left Override

Right-to-Left Override (RTLO or RLO) character can display the text that follows it in right-to-left order. It is a non-printing Unicode character (U+202E). The RTLO character is used to display the text in reverse order for languages written from right to left.

For example, the file name "bank_statementU+202Etxt.exe" will appear on the screen as "bank_statementexe.txt". Users may think that the file is a text file, but it is an executable file. Note that this operation only affects the visual appearance of the file name, and the actual file name still has the extension ".exe".

Adversaries use RTLO Override to trick users into opening malware files by showing the file extension as a benign extension instead of an executable. This technique is commonly used with the T1204 User Execution technique [7] and T1566.001 Spearphishing Attachment technique [8]. 

In April 2023, CERT Polska reported that the SnowyAmber malware dropper uses the Right-to-Left Override (RLO) technique [9]. The malware operators used the RTO character to conceal their malicious payload as a harmless PDF document named "november_schedulexe.pdf". When unsuspecting users execute it, the payload executes SnowyAmber malware via the DLL search order hijacking technique.

T1036.003 Rename System Utilities

Native system utilities such as cmd.exe, certutil.exe, and rundll32.exe have many legitimate uses in the daily operation of an operating system, and security controls are configured to track malicious use of these utilities. To evade detection, adversaries often rename built-in system utilities or move them to different directories prior to their malicious operation.

The infamous infostealer QakBot uses this technique to rename the Windows binary Regsvr32 [10]. QakBot operators were observed to copy the binary to /tmp directory and rename it prior to malicious operations. Moreover, QakBot malware stores portions of the "regsvr32.exe" binary name as variables and calls randomly during execution. These actions allow adversaries to avoid being detected by security controls and malware analysis.

T1036.004 Masquerade Task or Service

Security controls can be set to detect custom-named tools and services quickly, and they often whitelist certain system tasks or services to reduce false positive detection alerts. While this practice is convenient for daily operations, adversaries change the name of their malicious task/service with the name of a legitimate task/service to appear legitimate and evade detection.

Adversaries often use identical or similar names of legitimate tasks/services executed by Windows services, Linux systemd services, the Windows Task Scheduler, and at (Linux and Windows).

  • Trigona ransomware: Trigona ransomware was reported to have deliberately named its ransomware binary to a common and essential Windows process. To blend seamlessly into the Windows environment, the payload was named svhost.exe, resembling the genuine Windows binary svchost.exe [11].
  • WinSCP: Adversaries named their malware executable "pythonw.exe" to avoid suspicion during the installation process. Additionally, the malware is digitally signed and designed to launch without popup windows, improving its chances of avoiding detection [12].
  • Icarus Stealer: Adversaries use malware droppers to deliver Icarus Stealer to compromised systems and store the stealer as svchost.exe and svchost.bat to appear as a trusted Windows binary. However, these files are unencrypted forms of Icarus Stealer and are used to exfiltrate the victim's data to an adversary-controlled Discord server [13].

T1036.005 Match Legitimate Name or Location

Adversaries exploit the inherent trust associated with legitimate names and directories, such as native binaries in the System32 directory in Windows environments. Strategically placing malicious executables in directories that are commonly trusted by operating systems or users makes malware less likely to arouse suspicion or trigger detection alerts.

In May 2023, the Cl0p ransomware group exploited the MOVEit Transfer CVE-2023-34362 vulnerability to compromise large organizations. For a stealthy and persistent connection, adversaries deployed the LEMURLOOT webshell under the MOVEit Transfer directory and named it human2.aspx, mirroring a legitimate MOVEit file, human.aspx [14].

In another example, CISA reported that threat actors exploited NetScaler CVE-2023-3519 vulnerabilities to deploy the SecretSauce webshell. The deployed webshells are given various benign-looking PHP such as vpn.php, logout.php, log.php, or prod.php to appear legitimate [15].

T1036.006 Space after Filename

File extensions help users and operating systems determine the file format and how to handle and interpret the file content. In Linux and macOS operating systems, appending a space character to the end of a filename can change the way that the operating system handles the file content. For example, when double-clicked, a Mach-O file named "trojan.txt" opens the text editor. However, a file named "trojan.txt " (note the space added at the end) is considered executable by macOS when double-clicked by a user. Adversaries exploit this technique to craft seemingly benign files of any format, such as documents, images, or multimedia files, and lure unsuspecting users into executing malicious payloads.

  • OSX / Keydnap backdoor: This malware was distributed in a zip archive file that contains a binary named "screenshot.jpg" [16]. Since the filename contains a space character at its end, it would be executed by the Terminal.app. When a user double-clicks it, the Keydnap backdoor malware is executed.

WinRAR CVE-2023-38831 Vulnerability: The CVE-2023-38831 vulnerability allows adversaries to spoof file extensions and hide their malware within an archive as an image or document file. In October 2023, adversaries were observed to deliver Athena Agent malware to their victims in an archive file named "resultati_sovehchaniya_11_09_2023.rar," which translates to "meeting results". The archive contained a PDF file and a folder with identical names. However, the PDF file had a space at the end of the file extension to mask the malicious CMD script as a PDF file. When a user attempts to open the PDF file, the vulnerability causes the WinRAR to execute the Athena Agent malware [17].

Download the Red Report - Top Ten MITRE ATT&CK Techniques

T1036.007 Double File Extension

A file name may contain a secondary file type extension, resulting in the display of only the first extension. Although "filename.txt.exe" may appear as "filename.txt" in some views, the second extension is the actual file type, which specifies how the file is opened and executed. Thus, adversaries leverage a double extension in the filename to masquerade the actual file type [18].

In Microsoft Windows operating systems, there is a default setting for "Hide file extensions for known file types." Malware authors abuse this feature to trick unsuspecting users into downloading files that appear to be legitimate but are dangerous executables. Typically, common file types such as text and document files (e.g. .txt, .doc, .pdf) and image files (e.g., .jpg, .png, .gif) are used as the first extension to make the file appear benign. Dangerous executable extensions (e.g., .exe, .vbs, .com, .ps1, .dat, .hta, .htm, .js) frequently appear as the second extension and true file type. These files frequently masquerade as email attachments.

  • Mustang Panda: The Chinese APT group Mustang Panda uses the Double File Extension technique to deliver PlugX malware as an ISO image attachment. The ISO image contains a shortcut file with ".doc.lnk" extensions. Since .lnk is a known file type, the file appears as an Office document with a .doc extension. However, when clicked on, the .lnk file starts the PlugX malware execution chain [19].

  • RedLine Stealer: Adversaries use spear-phishing emails to infect target systems with RedLine Stealer. The malware is delivered via an attachment that has ".pdf.htm" extension to trick users by appearing as a legitimate PDF file. When an unsuspecting user opens the benign-looking PDF file, the malicious attachment drops malware to the target system and injects shellcode downloaded from adversary-controlled C2 server [20].

T1036.008 Masquerade File Type

File types and headers typically follow a standard format that helps operating systems understand how it is encoded and organized. For example, the header of a PDF file starts with "0x25 0x50'' and the file extension is ".pdf". Adversaries exploit the predictability of file formats by manipulating the header's hexadecimal code and/or the file extension of malicious payloads. As a result, they circumvent file validation checks and input sanitization mechanisms. Attackers often use this technique during payload transfer operations, such as ingress tool transfers and when storing malware. By altering the header and extension, adversaries can navigate through security checks and storage protocols without raising suspicion or triggering detections, effectively disguising their malicious intent.

In December 2023, CISA reported that adversaries were able to infiltrate a federal agency and deploy a webshell. While the webshell was downloaded to the compromised system as "conf.txt", it was actually a .jsp file that allowed adversaries to establish persistent connections [21].

In another example, JPCERT observed that adversaries were able to insert a malicious macro in MHT format into a PDF file. Since the header and extension information remained the same, the file was recognized as a PDF and bypassed detection. If the crafted file is to be opened in MS Word, the inserted macro is also executed [22].

T1036.009 Break Process Trees

Security controls use a method called process tree analysis to detect and identify potentially malicious activities. This analysis relies on the "parent-child" relationship between processes to detect anomalous behavior. On Unix-based systems, breaking the process tree is a common practice employed by administrators to execute software using scripts and programs. Adversaries exploit this practice by executing a series of Native API calls on Linux systems to alter the malware's process tree. By modifying the parent process ID, adversaries break the parent-child relationship and make it difficult for security tools to associate their behavior with previous process tree activity.

For instance, adversaries may execute their payload without any arguments, invoke the fork() API call twice, and then terminate the parent process. This sequence of actions creates a grandchild process with no parent process, effectively disconnecting the execution of the adversary's payload from its previous process tree. The grandchild process is subsequently adopted by the init system process (PID 1), further concealing the malicious activity from detection mechanisms.

XorDdos trojan uses the T1036.009 Break Process Trees technique to establish persistence without leaving traces. At system startup, the malware checks whether it is running from directories "/bin", "/usr/bin", or "/tmp". If it is not running these directories, XorDdos copies itself to "/lib/libudev.so". After modifying the copies to evade hash-based detection, XorDdos executes the copied and modified malware by performing a double fork() and then deletes itself. This series of actions helps XorDdos to stay persistent and stealthy [23].

Adversaries may also use the "daemon" syscall to detach from the current parent process and operate in the background. By invoking this syscall, the execution of a malicious payload can be separated from its parent process, allowing the payload to run autonomously without leaving traces of its origin [24].

References

[1] "Subvert Trust Controls: Code Signing." Available: https://attack.mitre.org/techniques/T1553/002/. [Accessed: Feb. 23, 2024]

[2] "GitHub - threatexpress/metatwin: The project is designed as a file resource cloner. Metadata, including digital signature, is extracted from one file and injected into another," GitHub. Available: https://github.com/threatexpress/metatwin. [Accessed: Feb. 16, 2024]

[3] "Resource Hacker." Available: http://angusj.com/resourcehacker/. [Accessed: Feb. 23, 2024]

[4] "GitHub - secretsquirrel/SigThief: Stealing Signatures and Making One Invalid Signature at a Time," GitHub. Available: https://github.com/secretsquirrel/SigThief. [Accessed: Feb. 23, 2024]

[5] "3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise; Suspected North Korean Actor Responsible," Mandiant, Oct. 03, 2021. Available: https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise. [Accessed: Feb. 23, 2024]

[6] "GitHub - med0x2e/SigFlip: SigFlip is a tool for patching authenticode signed PE files (exe, dll, sys ..etc) without invalidating or breaking the existing signature," GitHub. Available: https://github.com/med0x2e/SigFlip. [Accessed: Feb. 23, 2024]

[7] "User Execution." Available: https://attack.mitre.org/techniques/T1204/. [Accessed: Feb. 23, 2024]

[8] "Phishing: Spearphishing Attachment." Available: https://attack.mitre.org/techniques/T1566/001/. [Accessed: Feb. 23, 2024]

[9] "[No title]." Available: https://www.gov.pl/attachment/ee91f24d-3e67-436d-aa50-7fa56acf789d. [Accessed: Feb. 23, 2024]

[10] "Securonix Threat Labs Security Advisory: Qbot/QakBot Malware's New Initial Execution Uses Grifted Regsvr32 Binary to Run DLL Payload," Securonix, Nov. 18, 2022. Available: https://www.securonix.com/blog/qbot-qakbot-malwares-new-initial-execution/. [Accessed: Feb. 23, 2024]

[11] F. Lee and S. Roland, "Bee-Ware of Trigona, An Emerging Ransomware Strain," Unit 42, Mar. 16, 2023. Available: https://unit42.paloaltonetworks.com/trigona-ransomware-update/. [Accessed: Feb. 23, 2024]

[12] "New SEO#LURKER Attack Campaign: Threat Actors Use SEO Poisoning and Fake Google Ads to Lure Victims Into Installing Malware," Securonix, Nov. 16, 2023. Available: https://www.securonix.com/blog/seolurker-attack-campaign-uses-seo-poisoning-fake-google-ads-to-install-malware/. [Accessed: Feb. 23, 2024]

[13] "eSentire Threat Intelligence Malware Analysis: Icarus Stealer," eSentire, Feb. 13, 2023. Available: https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-icarus-stealer. [Accessed: Feb. 23, 2024]

[14] S. Solomon, "Breakdown of the MOVEit Transfer Breach and MITRE ATT&CK Mapping," Oct. 03, 2023. Available: https://www.klogixsecurity.com/blog/breakdown-of-the-moveit-transfer-breach-and-mitre-attck-mapping. [Accessed: Feb. 23, 2024]

[15] "Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells," Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-201a. [Accessed: Feb. 23, 2024]

[16] -Gartner Peer Insights, "Resource Hub," Synack, Feb. 17, 2023. Available: https://www.synack.com/resource-hub/. [Accessed: Feb. 23, 2024]

[17] "AgentTesla Spreads Through CHM And PDF Files In Recent Attacks," Cyble, Oct. 13, 2023. Available: https://cyble.com/blog/agenttesla-spreads-through-chm-and-pdf-files-in-recent-attacks/. [Accessed: Feb. 23, 2024]

[18] "Masquerading: Double File Extension." Available: https://attack.mitre.org/techniques/T1036/007/. [Accessed: Feb. 23, 2024]

[19] "Website." Available: https://blog.eclecticiq.com/mustang-panda-apt-group-uses-european-commission-themed-lure-to-deliver-plugx-malware

[20] "RedLine/Vidar Abuses EV Certificates, Shifts to Ransomware," Trend Micro, Sep. 13, 2023. Available: https://www.trendmicro.com/en_us/research/23/i/redline-vidar-first-abuses-ev-certificates.html. [Accessed: Feb. 23, 2024]

[21] "Threat Actors Exploit Adobe ColdFusion CVE-2023-26360 for Initial Access to Government Servers," Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-339a. [Accessed: Feb. 23, 2024]

[22] "MalDoc in PDF - Detection bypass by embedding a malicious Word file into a PDF file – - JPCERT/CC Eyes," JPCERT/CC Eyes. Available: https://blogs.jpcert.or.jp/en/2023/08/maldocinpdf.html. [Accessed: Feb. 23, 2024]

[23] M. T. Intelligence, "Rise in XorDdos: A deeper look at the stealthy DDoS malware targeting Linux devices," Microsoft Security Blog, May 19, 2022. Available: https://www.microsoft.com/en-us/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/. [Accessed: Feb. 23, 2024]

[24] "BPFDoor - An Evasive Linux Backdoor Technical Analysis," Sandfly Security - Agentless Linux Security and EDR, May 11, 2022. Available: https://sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/. [Accessed: Feb. 23, 2024]