T1564.009 Resource Forking
Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.5 Usage of a resource fork is identifiable when displaying a file’s extended attributes, using ls -l@ or xattr -l commands. Resource forks have been deprecated and replaced with the application bundle structure. Non-localized resources are placed at the top level directory of an application bundle, while localized resources are placed in the /Resources folder.23
Adversaries can use resource forks to hide malicious data that may otherwise be stored directly in files. Adversaries can execute content with an attached resource fork, at a specified offset, that is moved to an executable location then invoked. Resource fork content may also be obfuscated/encrypted until execution.41
| Item | Value |
|---|---|
| ID | T1564.009 |
| Sub-techniques | T1564.001, T1564.002, T1564.003, T1564.004, T1564.005, T1564.006, T1564.007, T1564.008, T1564.009, T1564.010 |
| Tactics | TA0005 |
| Platforms | macOS |
| Version | 1.0 |
| Created | 12 October 2021 |
| Last Modified | 05 May 2022 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0276 | Keydnap | Keydnap uses a resource fork to present a macOS JPEG or text file icon rather than the executable’s icon assigned by the operating system.7 |
| S0402 | OSX/Shlayer | OSX/Shlayer has used a resource fork to hide a compressed binary file of itself from the terminal, Finder, and potentially evade traditional scanners.14 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1013 | Application Developer Guidance | Configure applications to use the application bundle structure which leverages the /Resources folder location.6 |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0017 | Command | Command Execution |
| DS0022 | File | File Creation |
| DS0009 | Process | Process Creation |
References
-
Erika Noerenberg. (2020, June 29). TAU Threat Analysis: Bundlore (macOS) mm-install-macos. Retrieved October 12, 2021. ↩↩
-
Flylib. (n.d.). Identifying Resource and Data Forks. Retrieved October 12, 2021. ↩
-
Howard Oakley. (2020, October 24). There’s more to files than data: Extended Attributes. Retrieved October 12, 2021. ↩
-
Phil Stokes. (2020, November 5). Resourceful macOS Malware Hides in Named Fork. Retrieved October 12, 2021. ↩↩
-
Apple Inc. (2021, February 18). App security overview. Retrieved October 12, 2021. ↩
-
Marc-Etienne M.Leveille. (2016, July 6). New OSX/Keydnap malware is hungry for credentials. Retrieved July 3, 2017. ↩