Most malware is carefully disguised or hidden before it executes. That’s especially true in scenarios involving client-side file upload portals, where threat actors are typically targeting a perceived or researched weakness in a web application’s edge security policies.

The term obfuscation describes the deliberate act of concealing malicious code, malicious behavior, a file’s true type, or any other form of insecure content a bad actor doesn’t want a system to notice. In the context of client-side file uploads, it might be tempting to think of obfuscated malicious uploads as quick and dirty attempts to place malware in accessible storage containers – and that’s sometimes the case – but the whole truth is usually more sinister. Obfuscated malicious uploads are often the first chess piece to move in a multi-stage attack, with follow-up attacks poised to exploit a narrow gap created by the initial hidden payload.

Understanding obfuscation is essential for catching malware – and malicious content of any kind – before it has the chance to clear a path for remote code execution, data exfiltration, and other high-severity outcomes.

What is obfuscation in malware delivery?

Threat actors use a variety of obfuscation techniques to make malware harder to detect or analyze by the system (or human security professionals) processing them. The goal is either to hide the presence of malware entirely (which often hinges on weakly configured file scanning policies) or confuse the tools inspecting more deeply into the file.

Encryption is one common example of this. Threat actors often encrypt entire malware payloads – or even just the most critical pieces of malicious code responsible for malware execution – to prevent antivirus entities from identifying its true functionality. Another common example is disguising the file format altogether; it’s very straight forward to change file extensions or, in the case of more sophisticated threat actors, make subtle changes to file headers which confuse MIME/media type validation measures.

Common malware obfuscation techniques

Below, we’ll go over some of the most common malware obfuscation techniques in some more detail.

File type spoofing

Spoofing is a quick and easy form of obfuscation anyone can pull off on their own machine. This technique involves renaming malware files from their true extension (e.g., .exe) to a seemingly harmless extension (e.g., .exe -> .jpg). The success of this technique relies on edge security policies which do not validate the contents of a file from within.

Compressed archive layering

Malware can be nested extremely deep within compressed archives – much, much deeper than we might think. Archive file types like .zip are essentially miniature file explorers, and they can store other compressed archives too. Obfuscation strategies focused on layering malware in compressed archives test how robust edge security policies are. If they allow files with extensions like .zip or .rar, can they accurately identify and remove malware nested within the archive (e.g., .exe files with spoofed extensions like the example above)? Do they scan the archive recursively to ensure every stone is turned over before the archive is deemed “safe”?

Payload encoding

Encoding is conceptually similar to encryption, but it uses less immediately suspicious techniques. Encoding obfuscation strategies involve the conversion of malware payloads into different, less readable formats (like Base64, for example) and the subsequent embedding of that content within another valid file type. For example, a threat actor might Base64 encode a MS Office macro; if edge scanning policies are configured to look for specific types of malicious macros (rather than inherently mistrust macros in the first place), they might not detect the Base64 encoded version.

Script renaming

Malicious code often follows the same unwritten rules as legitimate code when it comes to organization and readability. Variables, methods, and other code components are expected to have some clearly defined meaning; that’s what makes the code reusable by folks who didn’t write it. By renaming these components to have little or no obvious meaning, threat actors can sometimes confuse threat analysis entities (often people, in this case) into misunderstanding the true purpose of the code embedded within a file. This is a less broadly effective technique, but it’s viable for exploiting any file processing workflows tasked with handling legitimate code for other reasons.

Using trusted wrappers

When we talk about “trusted wrappers" in this case, we’re specifically referring to files with valid digital signatures. In certain file upload workflows (e.g., those involving legal contracts or government documents), digital signatures are a critical component of authentication; they verify the identify of the person who created or sent the digital document, and they prevent the signer from denying they shared the content later on. If a threat actor can obtain a digitally signed document and inject malware within it, they might be able to trick weakly configured threat detection policies into trusting their version of the signed document.

Why obfuscation comes first in the attack chain

The techniques and strategies described above are crucial for satisfying a threat actor’s first priority: getting through the door. Once that’s taken care of, the attacker can shift their focus to subsequent attack stages which escalate and expand their control.

For example, an attacker can take follow-up actions like mapping the victim network or identifying security controls after obfuscated Remote Access Trojans (RATs) establish a connection with their Command and Control (C2) server. If they used an encoded payload to avoid detection at the point of upload, they might decode that payload within the target environment by downloading a separate decoding script after the fact.

How Cloudmersive Detects Obfuscated Threats

Cloudmersive’s Advanced Virus Scan API is designed to defeat malware obfuscation techniques with a combination of signature-based scanning and deep content verification. It identifies files based on their internal structure and behavior, rather than trusting file extensions or MIME types. Further, it recursively unpacks compressed archives to identify each potential threat hidden within entire directory.

Most importantly, this API accepts custom threat rule parameters which categorically reject content based on the verified content type. Macros, executables, scripts, password-protected files, and invalid files (i.e., those with contents not matching the extension) can be blocked regardless of whether they contain identifiable malware. This means the API doubles as a threat detection engine and file type validation engine for upload workflows with particularly stringent upload rules.

Final Thoughts

Malware authors and the threat actors who use their malware libraries assume they’ll run into robust antivirus engines at the point of upload. That’s why they start with obfuscation: to see if they can trick these engines into trusting content that shouldn’t really be trusted. Obfuscated malware is often the first sign of an attack that will involve multiple stages and have devastating consequences if not detected and mitigated immediately.

For expert advice on handling insecure file uploads, please reach out to a member of our team.