Geeks for your information Security Security Vendors Kaspersky Kaspersky Security Blog v
When files are not what they seem
When files are not what they seem
harlan4096 Online
MalWare Zoo Team
*******
Posts: 14,425
Threads: 9,512
Thanks Received: 9,034 in 7,184 posts
Thanks Given: 9,804
Joined: 12 September 18
#1
Bug  03 April 25, 09:40
Quote:Attackers use the polyglot technique to disguise malware. We explain what it is and how to protect your company against attacks.
 
Not long ago, our Securelist blog published a post (Russian language only) about an attack on industrial enterprises using the PhantomPyramid backdoor, which our experts with a high degree of confidence attribute to the Head Mare group. The attack was fairly standard — an email claiming to contain confidential information, with an attached password-protected archive containing malware, and a password for unpacking located right in the email’s body. But the method by which the attackers hid their malicious code — in a seemingly harmless file — is quite interesting: to do it they used the polyglot technique.

What is the polyglot technique?

In the Mitre ATT&CK matrix, polyglot files are described as files that correspond to several file types of at once, and that operate differently depending on the application in which they’re launched. They’re used to disguise malware: for the user, as well as for some basic protection mechanisms, they look like something completely harmless, for example a picture or a document, but in fact there’s malicious code inside. Moreover, the code can be written in several programming languages ​​at once.

Attackers use a variety of format combinations. Unit42 once investigated an attack using a help file in the Microsoft Compiled HTML Help format (.chm extension), which also was an HTML application (.hta file). Researchers also describe the use of a .jpeg image inside which, in fact, was a .phar PHP archive. In the case of the attack investigated by our experts, executable code was hidden inside a .zip archive file.

Polyglot file in the PhantomPyramid case

The file sent by attackers (presumably the Head Mare group) had a .zip extension and could be opened with a standard archiver application. But in fact it was a binary executable file, to the end of which a small ZIP archive was added. Inside the archive was a shortcut file with a double extension .pdf.lnk. If the victim, confident that they were dealing with a regular PDF file, clicked on it, the shortcut executed a powershell script, which allowed the malicious .zip file to be launched as an executable file, and also created a decoy PDF file in the temporary directory to show it to the user.

Continue Reading...
Find
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:

[-]
Recent Posts
NVIDIA announces GeForce RTX 5060 Ti at ...
NVIDIA intros RTX ...harlan4096 — 09:38
Java Runtime Environment 8.0 Update 451
Java Runtime Envir...harlan4096 — 08:29
Google Chrome 135.0.7049.95/.96
Stable Channel Upd...harlan4096 — 08:26
Adobe Acrobat Reader DC 25.001.20458
Adobe Acrobat Read...harlan4096 — 08:20
Mozilla Thunderbird 137.0.2 & 128.9.2 (E...
Thunderbird version...harlan4096 — 08:17

[-]
Birthdays
Today's Birthdays
avatar (49)fuspeukChark
avatar (43)werriewWaiNg
avatar (37)Freemanleo
Upcoming Birthdays
avatar (44)wapedDow
avatar (48)oapedDow
avatar (41)Sanchowogy
avatar (43)techlignub
avatar (42)Stevenmam
avatar (49)onlinbah
avatar (50)steakelask
avatar (44)Termoplenka
avatar (42)bycoPaist
avatar (48)pieloKat
avatar (42)ilyagNeexy
avatar (50)donitascene
avatar (50)Toligo
avatar (37)RobertUtelt

[-]
Online Staff
There are no staff members currently online.

>