T1036.006SubTechniquedefense-evasionagent-callable

T1036.006Space after Filename

Sub-technique of T1036

Platforms: Linux · macOS

ATT&CK version: 14.1

What it is

Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system. For example, if there is a Mach-O executable file called <code>evil.bin</code>, when it is double clicked by a user, it will launch Terminal.app and execute. If this file is renamed to <code>evil.txt</code>, then when double clicked by a user, it will launch with the default text editing application (not executing the binary). However, if the file is renamed to <code>evil.txt </code> (note the space at the end), then when double clicked by a user, the true file type is determined by the OS and handled appropriately and the binary will be executed (Citation: Mac Backdoors are back). Adversaries can use this feature to trick users into double clicking benign-looking files of any format and ultimately executing something malicious.

ATT&CK tactics· 1

Defense Evasion

References

  1. https://attack.mitre.org/techniques/T1036/006
  2. https://arstechnica.com/security/2016/07/after-hiatus-in-the-wild-mac-backdoors-are-suddenly-back/
Sourced from MITRE ATT&CK Enterprise v14.1. Curated and contextualized for EU compliance use cases by Adam Lundqvist, Founder at SQUR.