Common Information
| Type | Value |
|---|---|
| Value |
Double File Extension - T1036.007 |
| Category | Attack-Pattern |
| Type | Mitre-Attack-Pattern |
| Misp Type | Cluster |
| Description | Adversaries may abuse a double extension in the filename as a means of masquerading the true file type. A file name may include a secondary file type extension that may cause only the first extension to be displayed (ex: <code>File.txt.exe</code> may render in some views as just <code>File.txt</code>). However, the second extension is the true file type that determines how the file is opened and executed. The real file extension may be hidden by the operating system in the file browser (ex: explorer.exe), as well as in any software configured using or similar to the system’s policies.(Citation: PCMag DoubleExtension)(Citation: SOCPrime DoubleExtension) Adversaries may abuse double extensions to attempt to conceal dangerous file types of payloads. A very common usage involves tricking a user into opening what they think is a benign file type but is actually executable code. Such files often pose as email attachments and allow an adversary to gain [Initial Access](https://attack.mitre.org/tactics/TA0001) into a user’s system via [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) then [User Execution](https://attack.mitre.org/techniques/T1204). For example, an executable file attachment named <code>Evil.txt.exe</code> may display as <code>Evil.txt</code> to a user. The user may then view it as a benign text file and open it, inadvertently executing the hidden malware.(Citation: SOCPrime DoubleExtension) Common file types, such as text files (.txt, .doc, etc.) and image files (.jpg, .gif, etc.) are typically used as the first extension to appear benign. Executable extensions commonly regarded as dangerous, such as .exe, .lnk, .hta, and .scr, often appear as the second extension and true file type. |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2024-11-15 | 3 | Hack The Box | Sherlock | Unit42 | ||
| Details | Website | 2024-10-31 | 10 | UAC-0050 Phishing Attack Detection: The russia-Backed Group Massively Spreads Tax-Related Phishing Emails and Exploit LITEMANAGER - SOC Prime | ||
| Details | Website | 2024-08-02 | 22 | Fighting Ursa Luring Targets With Car for Sale | ||
| Details | Website | 2024-07-25 | 59 | How APT groups operate in Southeast Asia | ||
| Details | Website | 2024-03-18 | 96 | Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks | ||
| Details | Website | 2024-03-18 | 96 | Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks | ||
| Details | Website | 2024-02-26 | 32 | Earth Lusca Uses Geopolitical Lure to Target Taiwan Before Elections | ||
| Details | Website | 2024-02-26 | 32 | Earth Lusca Uses Geopolitical Lure to Target Taiwan Before Elections | ||
| Details | Website | 2023-10-11 | 55 | Genesis Market No Longer Feeds The Evil Cookie Monster | ||
| Details | Website | 2023-10-10 | 31 | Threat Actor deploys Mythic’s Athena Agent to target Russian Semiconductor Suppliers | ||
| Details | Website | 2023-10-09 | 17 | SmokeLoader Malware Detection: UAC-0006 Hackers Launch a Wave of Phishing Attacks Against Ukraine Targeting Accountants - SOC Prime | ||
| Details | Website | 2023-09-13 | 31 | RedLine/Vidar Abuses EV Certificates, Shifts to Ransomware | ||
| Details | Website | 2023-09-13 | 37 | RedLine/Vidar Abuses EV Certificates, Shifts to Ransomware | ||
| Details | Website | 2023-02-23 | 27 | Mustang Panda APT Group Uses European Commission-Themed Lure to Deliver PlugX Malware | ||
| Details | Website | 2022-12-06 | 2 | Mustang Panda Uses the Russian-Ukrainian War to Attack Europe and Asia Pacific Targets | ||
| Details | Website | 2022-12-01 | 43 | Three Cases of Cyber Attacks on the Security Service of Ukraine and NATO Allies, Likely by Russian State-Sponsored Gamaredon | ||
| Details | Website | 2022-11-02 | 11 | Appleseed Being Distributed to Nuclear Power Plant-Related Companies - ASEC BLOG | ||
| Details | Website | 2018-10-29 | 8 | New File Types Emerge in Malware Spam Attachments | ||
| Details | Website | 2018-10-29 | 28 | New File Types Emerge in Malware Spam Attachments |