Description
Adversaries may masquerade malicious payloads as legitimate files through changes to the payload's formatting, including the file’s signature, extension, icon, and contents. Various file types have a typical standard format, including how they are encoded and organized. For example, a file’s signature (also known as header or magic bytes) is the beginning bytes of a file and is often used to identify the file’s type. For example, the header of a JPEG file, is 0xFF 0xD8 and the file extension is either .JPE, .JPEG or .JPG.
Adversaries may edit the header’s hex code and/or the file extension of a malicious payload in order to bypass file validation checks and/or input sanitization. This behavior is commonly used when payload files are transferred (e.g., Ingress Tool Transfer) and stored (e.g., Upload Malware) so that adversaries may move their malware without triggering detections.
Common non-executable file types and extensions, such as text files (.txt) and image files (.jpg, .gif, etc.) may be typically treated as benign. Based on this, adversaries may use a file extension to disguise malware, such as naming a PHP backdoor code with a file name of test.gif. A user may not know that a file is malicious due to the benign appearance and file extension.
Polyglot files, which are files that have multiple different file types and that function differently based on the application that will execute them, may also be used to disguise malicious malware and capabilities.(Citation: polygot_icedID)
Platforms
Mitigations (3)
Behavior Prevention on EndpointM1040
Implement security controls on the endpoint, such as a Host Intrusion Prevention System (HIPS), to identify and prevent execution of files with mismatching file signatures.
Antivirus/AntimalwareM1049
Anti-virus can be used to automatically quarantine suspicious files.
Execution PreventionM1038
Ensure that input sanitization is performed and that files are validated properly before execution; furthermore, implement a strict allow list to ensure that only authorized file types are processed.(Citation: file_upload_attacks_pt2) Restrict and/or block execution of files where headers and extensions do not match.
Threat Groups (4)
| ID | Group | Context |
|---|---|---|
| G1017 | Volt Typhoon | [Volt Typhoon](https://attack.mitre.org/groups/G1017) has appended copies of the ntds.dit database with a .gif file extension.(Citation: Secureworks B... |
| G1043 | BlackByte | [BlackByte](https://attack.mitre.org/groups/G1043) masqueraded configuration files containing encryption keys as PNG files.(Citation: FBI BlackByte 20... |
| G1054 | MirrorFace | [MirrorFace](https://attack.mitre.org/groups/G1054) has crafted malware payloads to appear as Privacy-Enhanced Mail (PEM) files.(Citation: ITOCHU LODE... |
| G0129 | Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has masqueraded malicious executables as legitimate files that download [PlugX](https://attack.... |
Associated Software (13)
| ID | Name | Type | Context |
|---|---|---|---|
| S9018 | HeartCrypt | Malware | [HeartCrypt](https://attack.mitre.org/software/S9018) can append a BMP header to encoded malicious payloads to masquerade them as BMP files.(Citation:... |
| S1190 | Kapeka | Malware | [Kapeka](https://attack.mitre.org/software/S1190) masquerades as a Microsoft Word Add-In file, with the extension `.wll`, but is a malicious DLL file.... |
| S0650 | QakBot | Malware | The [QakBot](https://attack.mitre.org/software/S0650) payload has been disguised as a PNG file and hidden within LNK files using a Microsoft File Expl... |
| S1130 | Raspberry Robin | Malware | [Raspberry Robin](https://attack.mitre.org/software/S1130) has historically been delivered via infected USB drives containing a malicious LNK object m... |
| S1238 | STATICPLUGIN | Malware | [STATICPLUGIN](https://attack.mitre.org/software/S1238) has masqueraded as a BMP file to hide its true MSI file extension.(Citation: Google Threat Int... |
| S1074 | ANDROMEDA | Malware | [ANDROMEDA](https://attack.mitre.org/software/S1074) has been delivered through a LNK file disguised as a folder.(Citation: Mandiant Suspected Turla C... |
| S1063 | Brute Ratel C4 | Tool | [Brute Ratel C4](https://attack.mitre.org/software/S1063) has used Microsoft Word icons to hide malicious LNK files.(Citation: Palo Alto Brute Ratel J... |
| S1213 | Lumma Stealer | Malware | [Lumma Stealer](https://attack.mitre.org/software/S1213) has used payloads that resemble benign file extensions such as .mp3, .accdb, and .pub, though... |
| S1053 | AvosLocker | Malware | [AvosLocker](https://attack.mitre.org/software/S1053) has been disguised as a .jpg file.(Citation: Trend Micro AvosLocker Apr 2022) |
| S9019 | PureCrypter | Malware | [PureCrypter](https://attack.mitre.org/software/S9019) has used a .NET downloader named 63342221.BAT and has used .jpg, .png, and .log as false extens... |
| S1182 | MagicRAT | Malware | [MagicRAT](https://attack.mitre.org/software/S1182) can download additional executable payloads that masquerade as GIF files.(Citation: Cisco MagicRAT... |
| S0352 | OSX_OCEANLOTUS.D | Malware | [OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) has disguised it's true file structure as an application bundle by adding special characte... |
| S1183 | StrelaStealer | Malware | [StrelaStealer](https://attack.mitre.org/software/S1183) has been distributed as a DLL/HTML polyglot file.(Citation: DCSO StrelaStealer 2022)(Citation... |
References
Frequently Asked Questions
What is T1036.008 (Masquerade File Type)?
T1036.008 is a MITRE ATT&CK technique named 'Masquerade File Type'. It belongs to the Stealth tactic(s). Adversaries may masquerade malicious payloads as legitimate files through changes to the payload's formatting, including the file’s signature, extension, icon, and contents. Various file types have a...
How can T1036.008 be detected?
Detection of T1036.008 (Masquerade File Type) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1036.008?
There are 3 documented mitigations for T1036.008. Key mitigations include: Behavior Prevention on Endpoint, Antivirus/Antimalware, Execution Prevention.
Which threat groups use T1036.008?
Known threat groups using T1036.008 include: Volt Typhoon, BlackByte, MirrorFace, Mustang Panda.