Threat actors are leveraging polyglot file attacks to evade detection and deliver information-stealing malware, according to new research.
Palo Alto Networks' Unit 42 threat intelligence team discovered last month an attack technique that starts with a phishing email and combines polyglot file attacks with Microsoft Compiled HTML Help (CHM) file abuse. The sample analysis was published Tuesday in a blog post where Mark Lim, senior malware reverse engineer at Palo Alto Networks, detailed how the infamous IcedID, a malware abused by multiple ransomware gangs, was delivered as the final payload.
Though IcedID was involved in the attack chain that Unit 42 observed, the tactic highlighted a bigger threat as attackers can hide any malware by writing code in multiple languages to evade detection. The technique allows threat actors to bypass antimalware systems that rely on file format identification.
"It is important for defenders not to trust binaries based on their file types since polyglot files such as the one discussed here have more than one correct file type," Lim wrote in the blog post.
While analyzing the August attack, researchers observed threat actors executing the same CHM file twice in the infection process. They also uncovered a command-and-control URL as one indicator of compromise for IcedID.
"The first execution exhibits benign activities, while the second execution stealthily carries out malicious behaviors," the blog post read.
Lim told TechTarget Editorial that the first CHM file acts as a decoy to the users, while the second one carries out malicious behaviors in the background. In this case, the decoy was a Microsoft Customer Service and Support window.
Lim confirmed that polyglot files have been used for some time, but warned in the blog post that threat actors continue to evolve their techniques to evade detection. He added that modern endpoint detection and response products, including Palo Alto Networks' Cortex extended detection and response platform, can detect and stop malicious polyglots. "Cortex XDR monitors the processes that are created and the user behaviors, not requiring the need for IoCs to be ingested into the tool."