MITRE ATT&CK – T1036: Masquerading
Written By: Austin Miller
Onto number eight in our Top 10 MITRE ATT&CK procedures used by the adversary – MITRE ATT&CK – T1036: Masquerading. Found in 9% of samples analyzed by Picus in their recent Red Report research, this is an example of defense evasion that involves spoofing artifacts to make it appear like the infection and breach were legitimate. Masquerading is a major reason why malware sits dormant and unnoticed in systems for long periods of time despite otherwise effective cybersecurity measures.
What is masquerading?
Masquerading is any kind of evasive action that involves the manipulation of their artifacts to cover their trail. This is done to appear legitimate and benign to security professionals and security tools. Any time that a file, metadata, task or service is edited to hide the adversaries’ tracks, we’re talking about masquerading.
Masquerading is often employed by the adversary to hide executables that launch malware, such as in the cases of APT32, NotPetya, and TrickBot. When a cybersecurity-naïve employee sees computer_destroyer_virus.exe on their desktop, they’re unlikely to click on it; if they see Barbara’s 50th celebration.docx, they just might.
Exploring the procedures
Because masquerading is a wide net of different tactics, techniques, and procedures used by the adversary, it is difficult to reduce T1036 to a few simple attack types. However, here are three of the most common tactics, techniques, and procedures (TTPs) used by the adversary. For further reading, consult the MITRE ATT&CK framework page for T1036: Masquerading.
T1036.001 – Invalid Code Signature
To be clear, this isn’t code signature replacement, but code signature impersonation. The adversary takes a legitimate signature from another file or program and implants it into the malicious file. Although this might be enough to fool a human security professional looking at a file, it would fail to bypass digital signature validation as the actual legitimate signature is not transferred.
MetaTwin is an example of a tool which the adversary could use to copy metadata and paste it onto a malicious file. Extracting the binary used by a legitimate binary, the open-source tool writes spoofed metadata and digital signature information to a target, malicious binary.
T1036.002 – Right-to-Left Override
This is a quirk of Unicode – the U+202E character turns the writing direction from left-to-right to right-to-left. This is designed to help Hebrew and Arabic language users write in their respective alphabets.
If used on a malicious file name, we can change the appearance of a file to present it as something other than it is. For example, suppose that a virus is named launcher.exe. Thanks to end-user training, your colleagues know that .exe file types are potentially dangerous and they won’t fall for that.
By inserting U+202E into the file name, we can switch the direction of the text and include the .exe extension on the text side. For example, launcher.exe could be written as launcherU+202Etxt.exe, which in turn presents itself to the user as launcherexe.txt. At first glance, they might only see that it is a text file. This won’t trick a machine, but it might trick an end-user.
T1036.004 – Masquerade Task or Service
At startup, the adversary will sometimes create tasks and services that will execute once or repeatedly. These scheduled tasks are easily achieved through Windows Task scheduler, at, Windows services, and the Linux system services. But these will be easily identifiable one inspection, so they need to disguise the behavior.
One example of this is Fin7’s use of spoofing to make it appearance that adversarial scheduled tasks are actually AdobeFlashSync. When this appears in services, it doesn’t set off any alarm bells.
How serious is masquerading?
Due to the prevalence of masquerading in 18,702 different malware samples that Picus analyzed, it is safe to say that it is a big problem that is present across the board. When the adversary successfully masquerading their malicious actions as legitimate, there is no way for a cybersecurity professional to know that there has been a breach at all.
The real danger of masquerading attempts is the long-term effects of allowing a threat actor to sit on a network unnoticed. There are obvious problems that come from potentially exposing your entire network to someone who wants to do damage:
- Understanding your network and software makes it easier to target your vulnerabilities.
- Data exfiltration can be done without anyone knowing at all.
- Malicious files can be edited to make them seem like trusted files or applications.
- Malicious files can easily be placed in trusted directories to avoid detection.
How can I defend my organization?
Many masquerading techniques are designed to fool human eyes, but they struggle to stand up to computer defenses. That’s why scanning tools are necessary – they will always catch the adversary in the act, even when the most experienced security analysts are momentarily fooled.
The MITRE ATT&CK framework says the following mitigations are effective in battling against masquerading techniques:
The SecPro is a weekly security newsletter to help you stay sharp and upgrade your skills with trending threat insights, practical tutorials, hands-on labs, and useful resources. Build skills in as little as 10 minutes. Join the newsletter here.