Skip to content

T1564.001 Hidden Files and Directories

Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (dir /a for Windows and ls –a for Linux and macOS).

On Linux and Mac, users can mark specific files as hidden simply by putting a “.” as the first character in the file or folder name 1 2. Files and folders that start with a period, ‘.’, are by default hidden from being viewed in the Finder application and standard command-line utilities like “ls”. Users must specifically change settings to have these files viewable.

Files on macOS can also be marked with the UF_HIDDEN flag which prevents them from being seen in Finder.app, but still allows them to be seen in Terminal.app 3. On Windows, users can mark specific files as hidden by using the attrib.exe binary. Many applications create these hidden files and folders to store information so that it doesn’t clutter up the user’s workspace. For example, SSH utilities create a .ssh folder that’s hidden and contains the user’s known hosts and keys.

Adversaries can use this to their advantage to hide files and folders anywhere on the system and evading a typical user or system analysis that does not incorporate investigation of hidden files.

Item Value
ID T1564.001
Sub-techniques T1564.001, T1564.002, T1564.003, T1564.004, T1564.005, T1564.006, T1564.007, T1564.008, T1564.009, T1564.010
Tactics TA0005
Platforms Linux, Windows, macOS
Permissions required User
Version 1.0
Created 26 February 2020
Last Modified 29 March 2020

Procedure Examples

ID Name Description
S0331 Agent Tesla Agent Tesla has created hidden folders.7
S0584 AppleJeus AppleJeus has added a leading . to plist filenames, unlisting them from the Finder app and default Terminal directory listings.39
G0007 APT28 APT28 has saved files with hidden file attributes.4444
G0050 APT32 APT32‘s macOS backdoor hides the clientID file via a chflags function.51
S0438 Attor Attor can set attributes of log files and directories to HIDDEN, SYSTEM, ARCHIVE, or a combination of those.37
S0475 BackConfig BackConfig has the ability to set folders or files to be hidden from the Windows Explorer default view.6
S0274 Calisto Calisto uses a hidden directory named .calisto to store data from the victim’s machine before exfiltration.2627
S0484 Carberp Carberp has created a hidden file in the Startup folder of the current user.18
S1043 ccf32 ccf32 has created a hidden directory on targeted systems, naming it after the current local time (year, month, and day).25
S0660 Clambling Clambling has the ability to set its file attributes to hidden.28
S0369 CoinTicker CoinTicker downloads the following hidden files to evade detection and maintain persistence: /private/tmp/.info.enc, /private/tmp/.info.py, /private/tmp/.server.sh, ~/Library/LaunchAgents/.espl.plist, ~/Library/Containers/.[random string]/[random string].13
S0497 Dacls Dacls has had its payload named with a dot prefix to make it hidden from view in the Finder application.2324
S0634 EnvyScout EnvyScout can use hidden directories and files to hide malicious executables.20
S0569 Explosive Explosive has commonly set file and path attributes to hidden.11
S0277 FruitFly FruitFly saves itself with a leading “.” to make it a hidden file.34
G0125 HAFNIUM HAFNIUM has hidden files on a compromised host.46
S0278 iKitten iKitten saves itself with a leading “.” so that it’s hidden from users by default.34
S0434 Imminent Monitor Imminent Monitor has a dynamic debugging feature to set the file attribute to hidden.4
S0260 InvisiMole InvisiMole can create hidden system directories.12
S0015 Ixeshe Ixeshe sets its own executable file’s attributes to hidden.33
S0162 Komplex The Komplex payload is stored in a hidden directory at /Users/Shared/.local/kextd.1
G0032 Lazarus Group Lazarus Group has used a VBA Macro to set its file attributes to System and Hidden and has named files with a dot prefix to hide them from the Finder application.42232443
S0447 Lokibot Lokibot has the ability to copy itself to a hidden file and directory.31
S0451 LoudMiner LoudMiner has set the attributes of the VirtualBox directory and VBoxVmService parent directory to “hidden”.9
G1014 LuminousMoth LuminousMoth has used malware to store malicious binaries in hidden directories on victim’s USB drives.48
S0409 Machete Machete has the capability to exfiltrate stolen data to a hidden folder on a removable drive.32
S0282 MacSpy MacSpy stores itself in ~/Library/.DS_Stores/ 29
S0339 Micropsia Micropsia creates a new hidden directory to store all components’ outputs in a dedicated sub-folder for each.41
G0129 Mustang Panda Mustang Panda‘s PlugX variant has created a hidden folder on USB drives named RECYCLE.BIN to store malicious executables and collected data.47
S0198 NETWIRE NETWIRE can copy itself to and launch itself from hidden folders.15
S0439 Okrum Before exfiltration, Okrum‘s backdoor has used hidden files to store logs and outputs from backdoor commands.10
S0402 OSX/Shlayer OSX/Shlayer has executed a .command script from a hidden directory in a mounted DMG.22
S0352 OSX_OCEANLOTUS.D OSX_OCEANLOTUS.D sets the main loader file’s attributes to hidden.14
S0013 PlugX PlugX can modify the characteristics of folders to hide them from the compromised user.21
S0428 PoetRAT PoetRAT has the ability to hide and unhide files.19
S0650 QakBot QakBot has placed its payload in hidden subdirectories.40
S0262 QuasarRAT
QuasarRAT has the ability to set file attributes to “hidden” to hide files from the compromised user’s view in Windows File Explorer.5
S0448 Rising Sun Rising Sun can modify file attributes to hide files.36
G0106 Rocke Rocke downloaded a file “libprocesshider”, which could hide files on the target system.4950
S0533 SLOTHFULMEDIA SLOTHFULMEDIA has been created with a hidden attribute to insure it’s not visible to the victim.17
S0663 SysUpdate SysUpdate has the ability to set file attributes to hidden.35
S0595 ThiefQuest ThiefQuest hides a copy of itself in the user’s ~/Library directory by using a . at the beginning of the file name followed by 9 random characters.38
G0134 Transparent Tribe Transparent Tribe can hide legitimate directories and replace them with malicious copies of the same name.45
G0081 Tropic Trooper Tropic Trooper has created a hidden directory under C:\ProgramData\Apple\Updates\ and C:\Users\Public\Documents\Flash\.5253
S0366 WannaCry WannaCry uses attrib +h to make some of its files hidden.16
S0612 WastedLocker WastedLocker has copied a random file from the Windows System32 folder to the %APPDATA% location under a different hidden filename.30
S0658 XCSSET XCSSET uses a hidden folder named .xcassets and .git to embed itself in Xcode.8

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Creation
DS0009 Process Process Creation

References

  1. Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy’s ‘Komplex’ OS X Trojan. Retrieved July 8, 2017. 

  2. Thomas Reed. (2017, January 18). New Mac backdoor using antiquated code. Retrieved July 5, 2017. 

  3. Claud Xiao. (n.d.). WireLurker: A New Era in iOS and OS X Malware. Retrieved July 10, 2017. 

  4. QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020. 

  5. CISA. (2018, December 18). Analysis Report (AR18-352A) Quasar Open-Source Remote Administration Tool. Retrieved August 1, 2022. 

  6. Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020. 

  7. Walter, J. (2020, August 10). Agent Tesla | Old RAT Uses New Tricks to Stay on Top. Retrieved December 11, 2020. 

  8. Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021. 

  9. Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020. 

  10. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020. 

  11. Threat Intelligence and Research. (2015, March 30). VOLATILE CEDAR. Retrieved February 8, 2021. 

  12. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020. 

  13. Thomas Reed. (2018, October 29). Mac cryptocurrency ticker app installs backdoors. Retrieved April 23, 2019. 

  14. Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018. 

  15. Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021. 

  16. Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved March 25, 2019. 

  17. DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020. 

  18. Trusteer Fraud Prevention Center. (2010, October 7). Carberp Under the Hood of Carberp: Malware & Configuration Analysis. Retrieved July 15, 2020. 

  19. Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020. 

  20. MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021. 

  21. Raggi, M. et al. (2022, March 7). The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates. Retrieved March 16, 2022. 

  22. Carbon Black Threat Analysis Unit. (2019, February 12). New macOS Malware Variant of Shlayer (OSX) Discovered. Retrieved August 8, 2019. 

  23. Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform. Retrieved August 7, 2020. 

  24. Mabutas, G. (2020, May 11). New MacOS Dacls RAT Backdoor Shows Lazarus’ Multi-Platform Attack Capability. Retrieved August 10, 2020. 

  25. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022. 

  26. Kuzin, M., Zelensky S. (2018, July 20). Calisto Trojan for macOS. Retrieved September 7, 2018. 

  27. Pantig, J. (2018, July 30). OSX.Calisto. Retrieved September 7, 2018. 

  28. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021. 

  29. PETER EWANE. (2017, June 9). MacSpy: OS X RAT as a Service. Retrieved September 21, 2018. 

  30. Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021. 

  31. Hoang, M. (2019, January 31). Malicious Activity Report: Elements of Lokibot Infostealer. Retrieved May 15, 2020. 

  32. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019. 

  33. Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019. 

  34. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018. 

  35. Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021. 

  36. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020. 

  37. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020. 

  38. Patrick Wardle. (2020, June 29). OSX.EvilQuest Uncovered part i: infection, persistence, and more!. Retrieved March 18, 2021. 

  39. Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved March 1, 2021. 

  40. Kenefick, I. et al. (2022, October 12). Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike. Retrieved February 6, 2023. 

  41. Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018. 

  42. Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018. 

  43. Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022. 

  44. Mercer, W., et al. (2017, October 22). “Cyber Conflict” Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018. 

  45. Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021. 

  46. Eoin Miller. (2021, March 23). Defending Against the Zero Day: Analyzing Attacker Behavior Post-Exploitation of Microsoft Exchange. Retrieved October 27, 2022. 

  47. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021. 

  48. Lechtik, M, and etl. (2021, July 14). LuminousMoth APT: Sweeping attacks for the chosen few. Retrieved October 20, 2022. 

  49. Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020. 

  50. Xingyu, J.. (2019, January 17). Malware Used by Rocke Group Evolves to Evade Detection by Cloud Security Products. Retrieved May 26, 2020. 

  51. Dumont, R.. (2019, April 9). OceanLotus: macOS malware update. Retrieved April 15, 2019. 

  52. Horejsi, J., et al. (2018, March 14). Tropic Trooper’s New Strategy. Retrieved November 9, 2018. 

  53. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.