Description
Adversaries may abuse a double extension in the filename as a means of masquerading the true file type. A file name may include a secondary file type extension that may cause only the first extension to be displayed (ex: File.txt.exe may render in some views as just File.txt). However, the second extension is the true file type that determines how the file is opened and executed. The real file extension may be hidden by the operating system in the file browser (ex: explorer.exe), as well as in any software configured using or similar to the system’s policies.(Citation: PCMag DoubleExtension)(Citation: SOCPrime DoubleExtension)
Adversaries may abuse double extensions to attempt to conceal dangerous file types of payloads. A very common usage involves tricking a user into opening what they think is a benign file type but is actually executable code. Such files often pose as email attachments and allow an adversary to gain Initial Access into a user’s system via Spearphishing Attachment then User Execution. For example, an executable file attachment named Evil.txt.exe may display as Evil.txt to a user. The user may then view it as a benign text file and open it, inadvertently executing the hidden malware.(Citation: SOCPrime DoubleExtension)
Common file types, such as text files (.txt, .doc, etc.) and image files (.jpg, .gif, etc.) are typically used as the first extension to appear benign. Executable extensions commonly regarded as dangerous, such as .exe, .lnk, .hta, and .scr, often appear as the second extension and true file type.
Platforms
Mitigations (2)
User TrainingM1017
Train users to look for double extensions in filenames, and in general use training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events.
Operating System ConfigurationM1028
Disable the default to “hide file extensions for known file types” in Windows OS.(Citation: Seqrite DoubleExtension)(Citation: HowToGeek ShowExtension)
Threat Groups (2)
| ID | Group | Context |
|---|---|---|
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has used an additional filename extension to hide the true file type. [Kimsuky](https://attack.mitre.... |
| G0129 | Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has used an additional filename extension to hide the true file type.(Citation: Crowdstrike MUS... |
Associated Software (3)
| ID | Name | Type | Context |
|---|---|---|---|
| S1111 | DarkGate | Malware | [DarkGate](https://attack.mitre.org/software/S1111) masquerades malicious LNK files as PDF objects using the double extension <code>.pdf.lnk</code>.(C... |
| S0534 | Bazar | Malware | The [Bazar](https://attack.mitre.org/software/S0534) loader has used dual-extension executable files such as PreviewReport.DOC.exe.(Citation: Cybereas... |
| S1015 | Milan | Malware | [Milan](https://attack.mitre.org/software/S1015) has used an executable named `companycatalog.exe.config` to appear benign.(Citation: ClearSky Siamese... |
References
- Eugene Tkachenko. (2020, May 1). Rule of the Week: Possible Malicious File Double Extension. Retrieved July 27, 2021.
- PCMag. (n.d.). Encyclopedia: double extension. Retrieved August 4, 2021.
Frequently Asked Questions
What is T1036.007 (Double File Extension)?
T1036.007 is a MITRE ATT&CK technique named 'Double File Extension'. It belongs to the Stealth tactic(s). Adversaries may abuse a double extension in the filename as a means of masquerading the true file type. A file name may include a secondary file type extension that may cause only the first extension...
How can T1036.007 be detected?
Detection of T1036.007 (Double File Extension) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1036.007?
There are 2 documented mitigations for T1036.007. Key mitigations include: User Training, Operating System Configuration.
Which threat groups use T1036.007?
Known threat groups using T1036.007 include: Kimsuky, Mustang Panda.