Double File Extension

Information

• Name: Double File Extension

• ID: T1036.007

• Tactics: TA0005

• Technique: T1036

Introduction

Double File Extension (T1036.007) is a sub-technique within the MITRE ATT&CK framework under the parent technique "Masquerading" (T1036). It involves attackers disguising malicious files by applying multiple file extensions to trick users or evade detection systems. Typically, attackers leverage this sub-technique to make executable files appear as harmless documents or images, thereby increasing the likelihood of successful execution by unsuspecting users.

Deep Dive Into Technique

Attackers employing the Double File Extension technique manipulate filenames to obscure the true nature of malicious files, primarily executables. This is typically achieved by appending a benign-looking extension (such as .pdf, .docx, .jpg) followed by the actual executable extension (.exe, .scr, .bat), resulting in filenames like invoice.pdf.exe or photo.jpg.scr.

Technical details and execution methods include:

• Filename Manipulation: Attackers rename malicious executable files to include misleading extensions, exploiting default operating system settings that hide known file extensions.

• Icon Spoofing: Attackers may embed legitimate-looking icons (e.g., PDF, Word, Excel, or image icons) into executables to further enhance deception.

• Archive or Compressed Files: Malicious files with double extensions may be compressed into archives (ZIP, RAR, 7Z) to bypass email security gateways and endpoint protection solutions.

• Social Engineering: Attackers often combine double extensions with social engineering tactics, such as phishing emails or malicious websites, to increase victim engagement and execution probability.

Real-world procedures include:

• Delivery of malicious payloads through phishing campaigns.

• Distribution via compromised websites or legitimate file-sharing services.

• Exploitation of user trust in familiar file formats and icons.

When this Technique is Usually Used

This sub-technique commonly appears in various attack scenarios and stages, including:

• Initial Access: Attackers frequently use double extensions during phishing campaigns to deceive users into executing malicious files, granting initial entry points.

• Execution Stage: Malicious executables disguised as documents or images are executed by unsuspecting victims, establishing persistence or delivering secondary payloads.

• Delivery of Malware Payloads: This technique is extensively used to deliver ransomware, remote access trojans (RATs), spyware, and banking trojans.

• Email-based Attacks: Attackers often attach malicious files with double extensions in email attachments, aiming to bypass email security filters and deceive end-users.

• Drive-by Downloads: Malicious websites or compromised legitimate sites may host files named with double extensions to mislead visitors into downloading and executing malware.

How this Technique is Usually Detected

Detection methods and tools for identifying Double File Extension include:

• Endpoint Security Solutions: Modern antivirus, EDR (Endpoint Detection and Response), and next-generation endpoint protection platforms often include detection rules for suspicious file naming conventions.

• Email Gateway Filters: Advanced email security solutions scan attachments for double extensions and block or quarantine suspicious files.

• Behavioral Analysis: Sandboxing and behavioral analysis solutions detect malicious files by analyzing execution behavior, regardless of filename manipulation.

• SIEM and Log Monitoring: Security Information and Event Management (SIEM) systems can correlate events such as file downloads, executions, and suspicious naming patterns to alert security teams.

• User Awareness and Training: Trained users can recognize suspicious filenames and report or avoid executing files with double extensions.

Specific Indicators of Compromise (IoCs) include:

• Files with multiple extensions, especially .exe, .scr, .bat, .cmd, .vbs, .js, or .pif at the end of filenames.

• Suspicious email attachments with misleading filenames.

• Unusual file execution events logged by endpoint monitoring systems.

• User reports of unexpected file behavior or suspicious files.

Why it is Important to Detect This Technique

Detecting the Double File Extension technique is critical for multiple reasons:

• Preventing Malware Infections: Early detection prevents initial execution, reducing the risk of malware infection and propagation across systems.

• Avoiding Data Breaches and Theft: Malware disguised through double extensions can lead to severe data breaches, intellectual property theft, and financial losses.

• Stopping Ransomware Attacks: Many ransomware campaigns leverage double extensions during initial infection; detecting and preventing these files significantly reduces ransomware risk.

• Reducing Operational Downtime: Preventing malicious file execution helps avoid costly downtime, recovery efforts, and remediation activities.

• Enhancing Security Posture: Regular detection and mitigation of masquerading techniques like double extensions improve overall organizational security posture and resilience against future attacks.

Examples

Real-world examples demonstrating the use of Double File Extension include:

• Emotet Malware Campaigns:

  • Attackers distributed malicious email attachments named Invoice.doc.exe or Payment.pdf.exe.

  • Users who executed these files inadvertently installed the Emotet malware, leading to further malware deployment, data theft, and ransomware infections.

• Agent Tesla RAT Campaigns:

  • Phishing emails contained attachments such as OrderConfirmation.pdf.exe or ShippingDetails.docx.exe.

  • Upon execution, Agent Tesla RAT provided attackers with remote access, keylogging capabilities, and credential theft.

• TrickBot Trojan Attacks:

  • Attackers used filenames like Resume.doc.exe or TaxForm.pdf.exe in email phishing campaigns.

  • Execution of these files installed TrickBot, enabling lateral movement, credential harvesting, and subsequent ransomware deployment (e.g., Ryuk ransomware).

• BazarLoader and Ryuk Ransomware:

  • Emails with attachments named PayrollReport.xlsx.exe or similar misleading filenames.

  • Victims executing these files initiated the BazarLoader infection, leading to Ryuk ransomware deployment, data encryption, and severe operational disruptions.

These examples illustrate the widespread use of double extensions in various malware campaigns and highlight the necessity for robust detection measures and user awareness training.