īisonal has renamed malicious code to msacm32.dll to hide within a legitimate library earlier versions were disguised as winhelp. The Bazar loader has named malicious shortcuts "adobe" and mimicked communications software. īADNEWS attempts to hide its payloads using legitimate filenames. īad Rabbit has masqueraded as a Flash Player installer through the executable file install_flash_player.exe. īackdoorDiplomacy has dropped implants in folders named for legitimate software. īackConfig has hidden malicious payloads in %USERPROFILE%\Adobe\Driver\dwg\ and mimicked the legitimate DHCP service binary.
ĪPT41 attempted to masquerade their files as popular anti-virus software. ĪPT39 has used malware disguised as Mozilla Firefox and a tool named mfevtpse.exe to proxy C2 communications, closely mimicking a legitimate McAfee file mfevtps.exe. APT32 has also renamed a Cobalt Strike beacon payload to install_flashplayers.exe. ĪPT32 has renamed a NetCat binary to kb-10233.exe to masquerade as a Windows update. ĪPT29 renamed software and DLL's with legitimate names to appear benign. ĪPT28 has changed extensions on files containing exfiltrated data to make them appear benign, and renamed a web shell instance to appear as a legitimate OWA page. The file name AcroRD32.exe, a legitimate process name for Adobe's Acrobat Reader, was used by APT1 as a name for malware. ĪppleSeed has the ability to rename its payload to ESTCommon.dll to masquerade as a DLL belonging to ESTsecurity.
Live Version Procedure Examples actors used the following command to rename one of their tools to a benign file name: ren "%temp%\upload" audiodg.exe Īoqin Dragon has used fake icons including antivirus and external drives to disguise malicious payloads.
0 kommentar(er)
