Description
Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.(Citation: macOS Hierarchical File System Overview) Usage of a resource fork is identifiable when displaying a file’s extended attributes, using ls -l@ or xattr -l commands. Resource forks have been deprecated and replaced with the application bundle structure. Non-localized resources are placed at the top level directory of an application bundle, while localized resources are placed in the /Resources folder.(Citation: Resource and Data Forks)(Citation: ELC Extended Attributes)
Adversaries can use resource forks to hide malicious data that may otherwise be stored directly in files. Adversaries can execute content with an attached resource fork, at a specified offset, that is moved to an executable location then invoked. Resource fork content may also be obfuscated/encrypted until execution.(Citation: sentinellabs resource named fork 2020)(Citation: tau bundlore erika noerenberg 2020)
Platforms
Mitigations (1)
Application Developer GuidanceM1013
Configure applications to use the application bundle structure which leverages the /Resources folder location.(Citation: Apple App Security Overview)
Associated Software (2)
| ID | Name | Type | Context |
|---|---|---|---|
| S0276 | Keydnap | Malware | [Keydnap](https://attack.mitre.org/software/S0276) uses a resource fork to present a macOS JPEG or text file icon rather than the executable's icon as... |
| S0402 | OSX/Shlayer | Malware | [OSX/Shlayer](https://attack.mitre.org/software/S0402) has used a resource fork to hide a compressed binary file of itself from the terminal, Finder, ... |
References
- Erika Noerenberg. (2020, June 29). TAU Threat Analysis: Bundlore (macOS) mm-install-macos. Retrieved October 12, 2021.
- Flylib. (n.d.). Identifying Resource and Data Forks. Retrieved October 12, 2021.
- Howard Oakley. (2020, October 24). There's more to files than data: Extended Attributes. Retrieved October 12, 2021.
- Phil Stokes. (2020, November 5). Resourceful macOS Malware Hides in Named Fork. Retrieved October 12, 2021.
- Tenon. (n.d.). Retrieved October 12, 2021.
Frequently Asked Questions
What is T1564.009 (Resource Forking)?
T1564.009 is a MITRE ATT&CK technique named 'Resource Forking'. It belongs to the Stealth tactic(s). Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resource...
How can T1564.009 be detected?
Detection of T1564.009 (Resource Forking) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1564.009?
There are 1 documented mitigations for T1564.009. Key mitigations include: Application Developer Guidance.
Which threat groups use T1564.009?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.