Masquerade File Type

ID

masquerade_file_type

Severity

critical

Resource

File

Tags

backdoor, evader

Description

The detector employs file signature analysis to identify the actual content of a file, irrespective of its declared extension. It cross-checks the declared file extension against the file’s internal structure.

Anomalies such as a mismatch between the declared extension and the actual content trigger a suspicion of potential malware.

Currently, the analysis is centered in the following Media Types:

  • application/x-executable

  • application/x-msdownload

Rationale

Malware authors often use misleading file extensions to disguise their malicious payloads as seemingly harmless files.

For example, a user would normally run a png file expecting to open their favorite image viewing application, but an executable binary could have been run instead.

Likewise, a malicious attacker could have stored a malware binary in a repository with a harmless extension such as ico, but execute it under certain circumstances when the program is executed.

Related Malware campaigns

These are some popular campaigns using this technique:

  • Volt Typhoon has been operational since at least 2021, specializing in espionage and information gathering activities.

  • QakBot is a modular banking trojan that has been predominantly employed by financially motivated actors since 2007. Continuously updated and developed, QakBot has transformed from an information stealer into a delivery mechanism for ransomware.

  • OSX_OCEANLOTUS.D is a macOS backdoor utilized by APT32. Initially identified in 2015, APT32 has consistently enhanced its capabilities through a plugin architecture.

  • Operation Dream Job is a suspected cyber espionage effort likely orchestrated by the Lazarus Group. Targeting defense, aerospace, government, and various sectors in the United States, Israel, Australia, Russia, and India, the operation included attempts to monetize network access through a business email compromise (BEC) operation.

  • Brute Ratel C4 emerged as a commercial red-teaming and adversarial attack simulation tool in December 2020. Specifically crafted to evade detection by endpoint detection and response (EDR) and antivirus (AV) systems, it employs agents called badgers for arbitrary command execution, facilitating lateral movement, privilege escalation, and persistence. A leaked cracked version in September 2022 led to its adoption by threat actors.

  • AvosLocker is C++ ransomware distributed through the Ransomware-as-a-Service (RaaS) model. First identified in June 2021, it has targeted financial services, critical manufacturing, government facilities, and other sectors in the United States.

  • ANDROMEDA is a commodity malware that was prevalent in the early 2010s and continues to be observed in infections across a diverse range of industries.

  • The 2016 Ukraine Electric Power Attack denotes a campaign by the Sandworm Team, utilizing malware to target and disrupt distribution substations within the Ukrainian power grid.

References