Polyglot technique for disguising malware | Kaspersky official blog

Polyglot technique for disguising malware | Kaspersky official blog

/in

Not long ago, our Securelist blog published a post (Russian language only) about an attack on industrial enterprises using the PhantomPyramid backdoor, which our experts with a high degree of confidence attribute to the Head Mare group. The attack was fairly standard — an email claiming to contain confidential information, with an attached password-protected archive containing malware, and a password for unpacking located right in the email’s body. But the method by which the attackers hid their malicious code — in a seemingly harmless file — is quite interesting: to do it they used the polyglot technique.

What is the polyglot technique?

In the Mitre ATT&CK matrix, polyglot files are described as files that correspond to several file types of at once, and that operate differently depending on the application in which they’re launched. They’re used to disguise malware: for the user, as well as for some basic protection mechanisms, they look like something completely harmless, for example a picture or a document, but in fact there’s malicious code inside. Moreover, the code can be written in several programming languages ​​at once.

Attackers use a variety of format combinations. Unit42 once investigated an attack using a help file in the Microsoft Compiled HTML Help format (.chm extension), which also was an HTML application (.hta file). Researchers also describe the use of a .jpeg image inside which, in fact, was a .phar PHP archive. In the case of the attack investigated by our experts, executable code was hidden inside a .zip archive file.

Polyglot file in the PhantomPyramid case

The file sent by attackers (presumably the Head Mare group) had a .zip extension and could be opened with a standard archiver application. But in fact it was a binary executable file, to the end of which a small ZIP archive was added. Inside the archive was a shortcut file with a double extension .pdf.lnk. If the victim, confident that they were dealing with a regular PDF file, clicked on it, the shortcut executed a powershell script, which allowed the malicious .zip file to be launched as an executable file, and also created a decoy PDF file in the temporary directory to show it to the user.

How to stay safe

To prevent the launch of malicious code, we recommend equipping all computers having internet access with reliable security solutions. In addition, since most cyberattacks are started with malicious or social engineering emails, it’s not a bad idea to install a security solution at the corporate mail gateway level.

And in order to have the most up-to-date data on the techniques, tactics, and procedures of attackers, we suggest using the threat data provided by our Threat Intelligence services.

Kaspersky official blog – ​Read More