Not way back, our Securelist weblog revealed a submit (Russian language solely) about an assault on industrial enterprises utilizing the PhantomPyramid backdoor, which our specialists with a excessive diploma of confidence attribute to the Head Mare group. The assault was pretty customary — an e-mail claiming to include confidential data, with an hooked up password-protected archive containing malware, and a password for unpacking positioned proper within the e-mail’s physique. However the methodology by which the attackers hid their malicious code — in a seemingly innocent file — is sort of fascinating: to do it they used the polyglot method.
What’s the polyglot method?
Within the Mitre ATT&CK matrix, polyglot information are described as information that correspond to a number of file forms of directly, and that function in another way relying on the applying during which they’re launched. They’re used to disguise malware: for the consumer, in addition to for some fundamental safety mechanisms, they appear to be one thing fully innocent, for instance an image or a doc, however in truth there’s malicious code inside. Furthermore, the code could be written in a number of programming languages directly.
Attackers use a wide range of format combos. Unit42 as soon as investigated an assault utilizing a assist file within the Microsoft Compiled HTML Assist format (.chm extension), which additionally was an HTML utility (.hta file). Researchers additionally describe using a .jpeg picture inside which, in truth, was a .phar PHP archive. Within the case of the assault investigated by our specialists, executable code was hidden inside a .zip archive file.
Polyglot file within the PhantomPyramid case
The file despatched by attackers (presumably the Head Mare group) had a .zip extension and could possibly be opened with a typical archiver utility. However in truth it was a binary executable file, to the top of which a small ZIP archive was added. Contained in the archive was a shortcut file with a double extension .pdf.lnk. If the sufferer, assured that they had been coping with an everyday PDF file, clicked on it, the shortcut executed a powershell script, which allowed the malicious .zip file to be launched as an executable file, and in addition created a decoy PDF file within the non permanent listing to indicate it to the consumer.
Tips on how to keep secure
To forestall the launch of malicious code, we suggest equipping all computer systems having web entry with dependable safety options. As well as, since most cyberattacks are began with malicious or social engineering emails, it’s not a nasty thought to put in a safety answer on the company mail gateway stage.
And in an effort to have essentially the most up-to-date knowledge on the strategies, ways, and procedures of attackers, we advise utilizing the menace knowledge supplied by our Risk Intelligence companies.
