{"id":28847,"date":"2025-04-02T18:18:03","date_gmt":"2025-04-02T17:18:03","guid":{"rendered":"https:\/\/www.kaspersky.co.uk\/blog\/polyglot-malware-masking-technique\/28847\/"},"modified":"2025-04-02T18:18:03","modified_gmt":"2025-04-02T17:18:03","slug":"polyglot-malware-masking-technique","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.uk\/blog\/polyglot-malware-masking-technique\/28847\/","title":{"rendered":"When files are not what they seem"},"content":{"rendered":"<p>Not long ago, our Securelist blog published a <a href=\"https:\/\/securelist.ru\/head-mare-attacks-with-phantompyramid\/112164\/\" target=\"_blank\" rel=\"noopener\">post<\/a> (Russian language only) about an attack on industrial enterprises using the PhantomPyramid backdoor, which our experts with a high degree of confidence attribute to the Head Mare group. The attack was fairly standard \u2014 an email claiming to contain confidential information, with an attached password-protected archive containing malware, and a password for unpacking located right in the email\u2019s body. But the method by which the attackers hid their malicious code \u2014 in a seemingly harmless file \u2014 is quite interesting: to do it they used the polyglot technique.<\/p>\n<h2>What is the polyglot technique?<\/h2>\n<p>In the Mitre ATT&amp;CK matrix, polyglot files are <a href=\"https:\/\/attack.mitre.org\/techniques\/T1036\/008\/\" target=\"_blank\" rel=\"nofollow noopener\">described<\/a> as files that correspond to several file types of at once, and that operate differently depending on the application in which they\u2019re launched. They\u2019re used to disguise malware: for the user, as well as for some basic protection mechanisms, they look like something completely harmless, for example a picture or a document, but in fact there\u2019s malicious code inside. Moreover, the code can be <a href=\"https:\/\/en.wikipedia.org\/wiki\/Polyglot_(computing)\" target=\"_blank\" rel=\"nofollow noopener\">written<\/a> in several programming languages \u200b\u200bat once.<\/p>\n<p>Attackers use a variety of format combinations. Unit42 once <a href=\"https:\/\/unit42.paloaltonetworks.com\/polyglot-file-icedid-payload\/\" target=\"_blank\" rel=\"nofollow noopener\">investigated<\/a> an attack using a help file in the Microsoft Compiled HTML Help format (.chm extension), which also was an HTML application (.hta file). Researchers also <a href=\"https:\/\/medium.com\/swlh\/polyglot-files-a-hackers-best-friend-850bf812dd8a\" target=\"_blank\" rel=\"nofollow noopener\">describe<\/a> the use of a .jpeg image inside which, in fact, was a .phar PHP archive. In the case of the attack investigated by our experts, executable code was hidden inside a .zip archive file.<\/p>\n<h2>Polyglot file in the PhantomPyramid case<\/h2>\n<p>The file sent by attackers (presumably the Head Mare group) had a .zip extension and could be opened with a standard archiver application. But in fact it was a binary executable file, to the end of which a small ZIP archive was added. Inside the archive was a shortcut file with a double extension .pdf.lnk. If the victim, confident that they were dealing with a regular PDF file, clicked on it, the shortcut executed a powershell script, which allowed the malicious .zip file to be launched as an executable file, and also created a decoy PDF file in the temporary directory to show it to the user.<\/p>\n<h2>How to stay safe<\/h2>\n<p>To prevent the launch of malicious code, we recommend equipping all computers having internet access with <a href=\"https:\/\/www.kaspersky.co.uk\/next?icid=gb_kdailyplacehold_acq_ona_smm__onl_b2b_kdaily_wpplaceholder_sm-team___knext____c85c7f718828ada0\" target=\"_blank\" rel=\"noopener\">reliable security solutions<\/a>. In addition, since most cyberattacks are started with malicious or social engineering emails, it\u2019s not a bad idea to install a security solution <a href=\"https:\/\/www.kaspersky.co.uk\/small-to-medium-business-security\/mail-security-appliance?icid=gb_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder_______\" target=\"_blank\" rel=\"noopener\">at the corporate mail gateway level<\/a>.<\/p>\n<p>And in order to have the most up-to-date data on the techniques, tactics, and procedures of attackers, we suggest using the threat data provided by our <a href=\"https:\/\/www.kaspersky.co.uk\/enterprise-security\/threat-intelligence?icid=gb_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder_______\" target=\"_blank\" rel=\"noopener\">Threat Intelligence services<\/a>.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"kaspersky-next\">\n","protected":false},"excerpt":{"rendered":"<p>Attackers use the polyglot technique to disguise malware. We explain what it is and how to protect your company against attacks.<\/p>\n","protected":false},"author":2706,"featured_media":28848,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1836,2360,2361,2026],"tags":[36,529],"class_list":{"0":"post-28847","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"category-smb","10":"category-threats","11":"tag-malware-2","12":"tag-threats"},"hreflang":[{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/polyglot-malware-masking-technique\/28847\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/polyglot-malware-masking-technique\/28730\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/polyglot-malware-masking-technique\/23969\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/polyglot-malware-masking-technique\/39330\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/polyglot-malware-masking-technique\/53263\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/polyglot-malware-masking-technique\/29005\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/polyglot-malware-masking-technique\/34794\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/polyglot-malware-masking-technique\/34426\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.co.uk\/blog\/tag\/malware-2\/","name":"malware"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts\/28847","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/users\/2706"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/comments?post=28847"}],"version-history":[{"count":0,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts\/28847\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/media\/28848"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/media?parent=28847"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/categories?post=28847"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/tags?post=28847"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}