MITRE ATT&CK T1036 Masquerading

  • the fundamentals of the Masquerading technique
  • features manipulated by adversaries for Masquerading
  • its use cases by threat actors and malware
  • Red team exercises for this technique

Introduction

Adversaries masquerade their malicious artifacts, such as malware files and processes, as legitimate software and processes to evade detection by users and security controls.

Masquerading Sub-techniques

1.T1036.001 Invalid Code Signature

Code signing is the process of digitally signing executables to verify the author of the program and guarantee that the code has not been tampered with. In the invalid code signature sub-technique, adversaries copy metadata and code signature information of valid and signed programs and use this information in their malware.

2. T1036.002 Right-to-Left Override

Right-to-left override ( RTLO or RLO) character is a non-printing Unicode character ( U+202E) that is used to display the text that follows it in right-to-left order. This special character is used to deal with languages that are written from right-to-left and causes the text that follows it to be displayed in reverse. For example, the file name receiptU+202Etxt.exe will appear on the screen as receiptexe.txt. Users may think that the file is a text file, but it is actually an executable file. As another example, the filename with receiptmcod.txt may be actually receipt\u202Etxt.docm , which is a macro-enabled document file with a U+202e placed just before mcod.txt. Note that this operation only changes the visual appearance of the file name, does not change the actual file name - it still has the extension docm.

3. T1036.003 Rename System Utilities

Adversaries frequently utilize Windows system utilities in their operations to bypass defensive security controls. Rundll32.exe, cmd.exe, and certutil.exe are some of these utilities. Because of the increased use of legitimate system utilities by adversaries, security tools may monitor them to detect their suspicious use. To avoid name-based detection, adversaries may rename system utilities. For example, threat actors of Operation Soft Cell changed the name of the cmd.exe as cdm.exe [11]. Korplug malware, which is leveraging the COVID-19 pandemic to spread, is using a renamed certutil.exe - msoia.exe to decode the CAB file [12].

4. T1036.004 Masquerade Task or Service

Adversaries use task and service functionalities of operating systems to facilitate initial or recurring execution of their malicious code [13] [14]. As a part of execution and persistence, malware may create tasks and services to be executed at system startup or repeatedly.

5. T1036.005 Match Legitimate Name or Location

Adversaries may masquerade names/locations of their artifacts as identical or similar names/locations of legitimate files to evade monitoring and detection. As a recent example, the Tropic Trooper cyberespionage group has used %USERPROFILE%\Documents\Flash\ folder to place its USBferry malware and masquerade its name as flash_en.exe [18]. Threat actors of the Operation In(ter)ception cyberespionage campaign disguised their files and folders by giving them similar names of known software and companies, such as C:\Intel\IntelV.cgi, C:\NVIDIA\NvDaemon.exe, C:\ProgramData\DellTPad\DellTPadRepairexe [19].

6. T1036.006 Space after Filename

In macOS, adding a space to the end of a filename will modify how the operating system handles the file with other kinds of files. If an executable Mach-O file is called malware.txt, it will open with the text editing program when double-clicked by a user. So, the executable will not run properly. On the other hand, if the file is renamed as " malware.txt " (a space added at the end). macOS detects the executable file type and executes the binary when a user double-clicks it.

Red and Blue Team Exercises

1. Rename cmd.exe ( T1036.003 Rename System Utilities)

Red Teaming — How to simulate?

In this test, we will copy cmd.exe as cdm.exe like threat actors of Operation Soft Cell [11]:

Blue Teaming — How to detect?

Following Sigma rule can be used to detect the execution of a renamed binary leveraging new Sysmon OriginalFileName datapoint [25].

2. Use a task name similar to a Windows service (T1036.004 Masquerade Task or Service)

Red Teaming — How to simulate?

We will test the masquerading method used by the Rancor threat group's Plaintee Trojan (Picus Threat ID: 206343).

Blue Teaming — How to detect?

Following Sigma rule can be used to detect scheduled task creation pointing to the %APPDATA% directory.

3. Use a task name similar to a common software service (T1036.004 Masquerade Task or Service)

Red Teaming — How to simulate?

In this test, we will use Adobe Acrobat Reader Updater as the task name like the Turla threat group (Picus Threat ID: 141210).

Blue Teaming — How to detect?

Following Sigma rule is specific to the above masquerading method used by the Turla group. Moreover, you can use the Sigma rule given in the second exercise to detect this attack.

Appendixes

Appendix A — Aliases of Threat Groups

Threat Group: Ke3chang — Aliases: APT15, Mirage, Vixen Panda, GREF, Playful Dragon, RoyalAPT

Appendix B — Aliases of Malware Families

Malware: Disttrack — Alias: Shamoon

References

References

[1] “Subvert Trust Controls: Code Signing, Sub-technique T1553.002 — Enterprise | MITRE ATT&CK®.” [Online]. Available: https://attack.mitre.org/techniques/T1553/002/. [Accessed: 08-Jul-2020]

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Picus Security Inc.

Picus Security Inc.

Breach and Attack Simulation (BAS) | Continuous Security Validation | Gartner Cool Vendor