| ID | F0005 |
| Objective(s) | Defense Evasion, Persistence |
| Related ATT&CK Techniques | Hide Artifacts: Hidden Files and Directories (T1564.001) |
| Version | 2.4 |
| Created | 1 August 2019 |
| Last Modified | 28 April 2024 |
Hidden Files and Directories
Malware may hide files and folders to avoid detection and/or to persist on the system. See potential methods below. This is achieved by marking files or directories as hidden or by using special characters in file names to prevent them from being displayed in standard directory listings. By hiding files or directories, malware can evade detection from users and some security software.
This behavior is related to Unprotect technique U1230.
See ATT&CK: Hide Artifacts: Hidden Files and Directories (T1564.001).
| Name | ID | Description |
|---|---|---|
| Attribute | F0005.003 | Malware may change or choose an attribute to hide a file or directory. |
| Extension | F0005.001 | Malware may change or use a particular file extension to hide a file. |
| Location | F0005.002 | Malware may change or choose the location of itself, another file, or a directory to prevent detection. |
| Timestamp | F0005.004 | Malware may change the timestamp on a file to prevent detection. |
| Name | Date | Method | Description |
|---|---|---|---|
| GoBotKR | 2019 | -- | GoBotKR stores itself in a file with Hidden and System attributes. [1] |
| Shamoon | 2012 | F0005.004 | Malware modifies target files' time to August 2012 as an antiforensic trick. [2] |
| CHOPSTICK | 2015 | -- | CHOPSTICK creates a hidden file for temporary storage. [3] |
| Vobfus | 2016 | F0005.002 | Vobfus is located on external drives or network shares and attaches itself to ZIP and RAR files, other removable drives, and network shares. Vobfus hides folders on the external drive and drops an executable with the same name and a disguised folder icon. [4] |
| Matanbuchus | 2021 | F0005.002 | Malware looks for a specific folder on the victim. If the folder doesn't exist, the malware creates the folder on the victim by calling CreateDirectoryA and downloads the remote file into the new folder. [5] [6] |
| Matanbuchus | 2021 | F0005.001 | The malware also appends the filename and extension .ocx to the ProgramData folder path. [5] [6] |
| WannaCry | 2017 | F0005.003 | WannaCry uses the +h attribute to hide its files. [7] |
| Tool: CAPE | Mapping | APIs |
|---|---|---|
| spoofs_procname | Hidden Files and Directories (F0005) | -- |
| spoofs_procname | Hidden Files and Directories::Location (F0005.002) | -- |
| pe_compile_timestomping | Hidden Files and Directories (F0005) | -- |
| pe_compile_timestomping | Hidden Files and Directories::Timestamp (F0005.004) | -- |
| stealth_hidden_extension | Hidden Files and Directories (F0005) | -- |
| stealth_hiddenreg | Hidden Files and Directories (F0005) | -- |
| stealth_file | Hidden Files and Directories (F0005) | NtSetInformationFile, NtClose, NtCreateFile, NtDuplicateObject, NtOpenFile |
[1] https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/
[2] https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shamoon-returns-to-wipe-systems-in-middle-east-europe/
[3] https://web.archive.org/web/20210307034415/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf
[4] https://securitynews.sonicwall.com/xmlpost/revisiting-vobfus-worm-mar-8-2013/
[5] https://www.0ffset.net/reverse-engineering/matanbuchus-loader-analysis/
[6] https://www.cyberark.com/resources/threat-research-blog/inside-matanbuchus-a-quirky-loader
[7] https://www.mandiant.com/resources/blog/wannacry-malware-profile