Suspicious Double Extension Files

 1title: Suspicious Double Extension Files
 2id: b4926b47-a9d7-434c-b3a0-adc3fa0bd13e
 3related:
 4    - id: 1cdd9a09-06c9-4769-99ff-626e2b3991b8
 5      type: derived
 6    - id: 3215aa19-f060-4332-86d5-5602511f3ca8
 7      type: similar
 8status: test
 9description: Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that Windows hide default extensions by default.
10references:
11    - https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/
12    - https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations
13    - https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles
14    - https://twitter.com/malwrhunterteam/status/1235135745611960321
15    - https://twitter.com/luc4m/status/1073181154126254080
16author: Nasreddine Bencherchali (Nextron Systems), frack113
17date: 2022-06-19
18modified: 2022-11-07
19tags:
20    - attack.defense-evasion
21    - attack.t1036.007
22logsource:
23    category: file_event
24    product: windows
25detection:
26    selection_gen:
27        TargetFilename|endswith:
28            - '.exe'
29            - '.iso'
30            # - '.lnk'  # legitimate links can happen just anywhere
31            - '.rar'
32            - '.zip'
33        TargetFilename|contains:
34            - '.doc.'
35            - '.docx.'
36            - '.jpg.'
37            - '.pdf.'
38            - '.ppt.'
39            - '.pptx.'
40            - '.xls.'
41            - '.xlsx.'
42    selection_exe:
43        TargetFilename|endswith:
44            - '.rar.exe'
45            - '.zip.exe'
46    # Note: If you wanna keep using the ".lnk" extension. You might uncomment this filter and add additional locations
47    # filter_main_lnk:
48    #     TargetFilename|contains:
49    #         - '\AppData\Roaming\Microsoft\Office\Recent\'
50    #         - '\AppData\Roaming\Microsoft\Windows\Recent\'
51    condition: 1 of selection_*
52falsepositives:
53    - Unlikely
54level: high

References

• Mustang Panda | Threat Actor Profile | CrowdStrike

  MUSTANG PANDA is a China-based adversary that has demonstrated an ability to rapidly assimilate new tools and tactics. Learn more about their operations.

  
  Read More

• China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations

  

  This whitepaper examines a campaign believed to be conducted by China-based threat group, Mustang Panda. Read the paper from Anomali Threat Research.

  
  Read More

• A Bazar of Tricks: Following Team9’s Development Cycles

  

  Learn how the Bazar malware is sent via phishing emails that take advantage of the ongoing coronavirus pandemic, employee payroll reports, and customer complaints.

  
  Read More

• x.com

  
  Read More

• x.com

  
  Read More

Related rules

• Suspicious Parent Double Extension File Execution
• AD Object WriteDAC Access
• ADS Zone.Identifier Deleted By Uncommon Application
• AMSI Bypass Pattern Assembly GetType
• APT PRIVATELOG Image Load Pattern