Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system.
For example, if there is a Mach-O executable file calledevil.bin, when it is double clicked by a user, it will launch Terminal.app and execute. If this file is renamed toevil.txt, then when double clicked by a user, it will launch with the default text editing application (not executing the binary). However, if the file is renamed toevil.txt (note the space at the end), then when double clicked by a user, the true file type is determined by the OS and handled appropriately and the binary will be executed[1].
Adversaries can use this feature to trick users into double clicking benign-looking files of any format and ultimately executing something malicious.
| ID | Name | Description |
|---|---|---|
| G0082 | APT38 | APT38 has put several spaces before a file extension to avoid detection and suspicion.[2] |
| S0276 | Keydnap | Keydnap puts a space after a false .jpg extension so that execution actually goes through the Terminal.app program.[3] |
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0292 | Masquerading via Space After Filename - Behavioral Detection Strategy | AN0812 | Detection of file execution where the file name contains a trailing space to masquerade as a known executable. Adversaries may exploit the way command line interpreters handle file names with trailing whitespace. |
| AN0813 | Execution of renamed or dropped files with a trailing space to deceive users or analysts, especially in LaunchAgents or LaunchDaemons. |