Hide Artifacts: Hidden Files and Directories
Other sub-techniques of Hide Artifacts (7)
ID | Name |
---|---|
T1564.001 | Hidden Files and Directories |
T1564.002 | Hidden Users |
T1564.003 | Hidden Window |
T1564.004 | NTFS File Attributes |
T1564.005 | Hidden File System |
T1564.006 | Run Virtual Instance |
T1564.007 | VBA Stomping |
Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (dir /a
for Windows and ls –a
for Linux and macOS).
On Linux and Mac, users can mark specific files as hidden simply by putting a "." as the first character in the file or folder name [1] [2]. Files and folders that start with a period, ‘.’, are by default hidden from being viewed in the Finder application and standard command-line utilities like "ls". Users must specifically change settings to have these files viewable.
Files on macOS can also be marked with the UF_HIDDEN flag which prevents them from being seen in Finder.app, but still allows them to be seen in Terminal.app [3]. On Windows, users can mark specific files as hidden by using the attrib.exe binary. Many applications create these hidden files and folders to store information so that it doesn’t clutter up the user’s workspace. For example, SSH utilities create a .ssh folder that’s hidden and contains the user’s known hosts and keys.
Adversaries can use this to their advantage to hide files and folders anywhere on the system and evading a typical user or system analysis that does not incorporate investigation of hidden files.
Procedure Examples
Name | Description |
---|---|
APT28 | |
APT32 |
APT32's macOS backdoor hides the clientID file via a chflags function.[5] |
Attor |
Attor can set attributes of log files and directories to HIDDEN, SYSTEM, ARCHIVE, or a combination of those.[6] |
BackConfig |
BackConfig has the ability to set folders or files to be hidden from the Windows Explorer default view.[7] |
Calisto |
Calisto uses a hidden directory named .calisto to store data from the victim’s machine before exfiltration.[8][9] |
Carberp |
Carberp has created a hidden file in the Startup folder of the current user.[10] |
CoinTicker |
CoinTicker downloads the following hidden files to evade detection and maintain persistence: /private/tmp/.info.enc, /private/tmp/.info.py, /private/tmp/.server.sh, ~/Library/LaunchAgents/.espl.plist, ~/Library/Containers/.[random string]/[random string].[11] |
Dacls |
Dacls has had its payload named with a dot prefix to make it hidden from view in the Finder application.[12][13] |
FruitFly |
FruitFly saves itself with a leading "." to make it a hidden file.[14] |
iKitten |
iKitten saves itself with a leading "." so that it's hidden from users by default.[14] |
Imminent Monitor |
Imminent Monitor has a dynamic debugging feature to set the file attribute to hidden.[15] |
InvisiMole |
InvisiMole can create hidden system directories.[16] |
Ixeshe |
Ixeshe sets its own executable file's attributes to hidden.[17] |
Komplex |
The Komplex payload is stored in a hidden directory at |
Lazarus Group |
Lazarus Group has used a VBA Macro to set its file attributes to System and Hidden and has named files with a dot prefix to hide them from the Finder application.[18][12][13] |
Lokibot |
Lokibot has the ability to copy itself to a hidden file and directory.[19] |
LoudMiner |
LoudMiner has set the attributes of the VirtualBox directory and VBoxVmService parent directory to "hidden".[20] |
Machete |
Machete has the capability to exfiltrate stolen data to a hidden folder on a removable drive.[21] |
MacSpy | |
Micropsia |
Micropsia creates a new hidden directory to store all components' outputs in a dedicated sub-folder for each.[23] |
Okrum |
Before exfiltration, Okrum's backdoor has used hidden files to store logs and outputs from backdoor commands.[24] |
OSX/Shlayer |
OSX/Shlayer executes a .command script from a hidden directory in a mounted DMG.[25] |
OSX_OCEANLOTUS.D |
OSX_OCEANLOTUS.D sets the main loader file’s attributes to hidden.[26] |
PoetRAT | |
Rising Sun |
Rising Sun can modify file attributes to hide files.[28] |
Rocke |
Rocke downloaded a file "libprocesshider", which could hide files on the target system.[29][30] |
Tropic Trooper |
Tropic Trooper has created a hidden directory under |
WannaCry |
WannaCry uses |
Mitigations
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
Detection
Monitor the file system and shell commands for files being created with a leading "." and the Windows command-line use of attrib.exe to add the hidden attribute.
References
- Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.
- Thomas Reed. (2017, January 18). New Mac backdoor using antiquated code. Retrieved July 5, 2017.
- Claud Xiao. (n.d.). WireLurker: A New Era in iOS and OS X Malware. Retrieved July 10, 2017.
- Mercer, W., et al. (2017, October 22). "Cyber Conflict" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018.
- Dumont, R.. (2019, April 9). OceanLotus: macOS malware update. Retrieved April 15, 2019.
- Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
- Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020.
- Kuzin, M., Zelensky S. (2018, July 20). Calisto Trojan for macOS. Retrieved September 7, 2018.
- Pantig, J. (2018, July 30). OSX.Calisto. Retrieved September 7, 2018.
- Trusteer Fraud Prevention Center. (2010, October 7). Carberp Under the Hood of Carberp: Malware & Configuration Analysis. Retrieved July 15, 2020.
- Thomas Reed. (2018, October 29). Mac cryptocurrency ticker app installs backdoors. Retrieved April 23, 2019.
- Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform. Retrieved August 7, 2020.
- Mabutas, G. (2020, May 11). New MacOS Dacls RAT Backdoor Shows Lazarus’ Multi-Platform Attack Capability. Retrieved August 10, 2020.
- Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
- QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020.
- Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
- Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019.
- Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018.
- Hoang, M. (2019, January 31). Malicious Activity Report: Elements of Lokibot Infostealer. Retrieved May 15, 2020.
- Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020.
- ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
- PETER EWANE. (2017, June 9). MacSpy: OS X RAT as a Service. Retrieved September 21, 2018.
- Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018.
- Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.
- Carbon Black Threat Analysis Unit. (2019, February 12). New macOS Malware Variant of Shlayer (OSX) Discovered. Retrieved August 8, 2019.
- Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018.
- Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020.
- Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020.
- Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020.
- Xingyu, J.. (2019, January 17). Malware Used by Rocke Group Evolves to Evade Detection by Cloud Security Products. Retrieved May 26, 2020.
- Horejsi, J., et al. (2018, March 14). Tropic Trooper’s New Strategy. Retrieved November 9, 2018.
- Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
- Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved March 25, 2019.