Masquerading: Space after Filename
Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system.
For example, if there is a Mach-O executable file called evil.bin, when it is double clicked by a user, it will launch Terminal.app and execute. If this file is renamed to evil.txt, then when double clicked by a user, it will launch with the default text editing application (not executing the binary). However, if the file is renamed to **evil.txt ** (note the space at the end), then when double clicked by a user, the true file type is determined by the OS and handled appropriately and the binary will be executed (Citation: Mac Backdoors are back).
Adversaries can use this feature to trick users into double clicking benign-looking files of any format and ultimately executing something malicious.
Space After Filename
Supported Platforms: macos
Run it with these steps!
echo '#!/bin/bash\necho "print \"hello, world!\"" /usr/bin/python\nexit' > execute.txt && chmod +x execute.txt
mv execute.txt "execute.txt "
Space after filename.
Supported Platforms: macos,linux
Attack Commands: Run with bash!
1 2 3 4 5 6 7 mkdir -p /tmp/atomic-test-T1036.006 cd /tmp/atomic-test-T1036.006 mkdir -p 'testdirwithspaceend ' /usr/bin/echo -e "%d\na\n#!/usr/bin/perl\nprint \"running T1035.006 with space after filename to masquerade init\\n\";\nqx/cp \/usr\/bin\/perl 'init '/;\nqx/'.\/init ' -e 'sleep 5'/;\n.\nwq\n" | ed 'testdirwithspaceend /init ' >/dev/null chmod +x 'testdirwithspaceend /init ' './testdirwithspaceend /init '
1 rm -rf /tmp/atomic-test-T1036.006