īad Rabbit has masqueraded as a Flash Player installer through the executable file install_flash_player.exe. īackdoorDiplomacy has dropped implants in folders named for legitimate software. īackConfig has hidden malicious payloads in %USERPROFILE%\Adobe\Driver\dwg\ and mimicked the legitimate DHCP service binary. ĪPT41 attempted to masquerade their files as popular anti-virus software.
ĪPT39 has used malware disguised as Mozilla Firefox and a tool named mfevtpse.exe to proxy C2 communications, closely mimicking a legitimate McAfee file mfevtps.exe. APT32 has also renamed a Cobalt Strike beacon payload to install_flashplayers.exe. ĪPT32 has renamed a NetCat binary to kb-10233.exe to masquerade as a Windows update. ĪPT29 has renamed malicious DLLs with legitimate names to appear benign they have also created an Azure AD certificate with a Common Name that matched the display name of the compromised service principal. ĪPT28 has changed extensions on files containing exfiltrated data to make them appear benign, and renamed a web shell instance to appear as a legitimate OWA page. The file name AcroRD32.exe, a legitimate process name for Adobe's Acrobat Reader, was used by APT1 as a name for malware. ĪppleSeed has the ability to rename its payload to ESTCommon.dll to masquerade as a DLL belonging to ESTsecurity. actors used the following command to rename one of their tools to a benign file name: ren "%temp%\upload" audiodg.exe Īoqin Dragon has used fake icons including antivirus and external drives to disguise malicious payloads. During the 2016 Ukraine Electric Power Attack, DLLs and EXEs with filenames associated with common electric power sector protocols were used to masquerade files.
0 kommentar(er)
