Masquerading

Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed.

One variant is for an executable to be placed in a commonly trusted directory or given the name of a legitimate, trusted program. Alternatively, the filename given may be a close approximation of legitimate programs or something innocuous. An example of this is when a common system utility or program is moved and renamed to avoid detection based on its usage.[1] This is done to bypass tools that trust executables by relying on file name or path, as well as to deceive defenders and system administrators into thinking a file is benign by associating the name with something that is thought to be legitimate.

A third variant uses the right-to-left override (RTLO or RLO) character (U+202E) as a means of tricking a user into executing what they think is a benign file type but is actually executable code. RTLO is a non-printing character that causes the text that follows it to be displayed in reverse.[2] For example, a Windows screensaver file named March 25 \u202Excod.scr will display as March 25 rcs.docx. A JavaScript file named photo_high_re\u202Egnp.js will be displayed as photo_high_resj.png. A common use of this technique is with spearphishing attachments since it can trick both end users and defenders if they are not aware of how their tools display and render the RTLO character. Use of the RTLO character has been seen in many targeted intrusion attempts and criminal activity.[3][4] RTLO can be used in the Windows Registry as well, where regedit.exe displays the reversed characters but the command line tool reg.exe does not by default. 

Windows

In another variation of this technique, an adversary may use a renamed copy of a legitimate utility, such as rundll32.exe. [5] An alternative case occurs when a legitimate utility is moved to a different directory and also renamed to avoid detections based on system utilities executing from non-standard paths. [6]

An example of abuse of trusted locations in Windows would be the C:\Windows\System32 directory. Examples of trusted binary names that can be given to malicious binares include "explorer.exe" and "svchost.exe".

Linux

Another variation of this technique includes malicious binaries changing the name of their running process to that of a trusted or benign process, after they have been launched as opposed to before. [7]

An example of abuse of trusted locations in Linux would be the /bin directory. Examples of trusted binary names that can be given to malicious binares include "rsyncd" and "dbus-inotifier". [8] [9]

ID: T1036

Tactic: Defense Evasion

Platform:  Linux, macOS, Windows

Data Sources:  File monitoring, Process monitoring, Binary file metadata

Defense Bypassed:  Whitelisting by file name or path

Contributors:  Nick Carr, FireEye; David Lu, Tripwire; Felipe Espósito, @Pr0teus; ENDGAME; Bartosz Jerzman
Version: 1.1

Mitigations

Mitigation Description
Code Signing Require signed binaries.
Execution Prevention Use tools that restrict program execution via whitelisting by attributes other than file name for common operating system utilities that are needed.
Restrict File and Directory Permissions Use file system access controls to protect folders such as C:\Windows\System32.

Examples

Name Description
admin@338

admin@338 actors used the following command to rename one of their tools to a benign file name: ren "%temp%\upload" audiodg.exe[10]

APT1

The file name AcroRD32.exe, a legitimate process name for Adobe's Acrobat Reader, was used by APT1 as a name for malware.[11][12]

APT32

APT32 has used hidden or non-printing characters to help masquerade file names on a system, such as appending a Unicode no-break space character to a legitimate service name. They have also used by moving and renaming pubprn.vbs to a .txt file to avoid detection. Additionally, the group has renamed a NetCat binary to kb-10233.exe to masquerade as a Windows update.[13][14][15]

BADNEWS

BADNEWS attempts to hide its payloads using legitimate filenames.[16]

BRONZE BUTLER

BRONZE BUTLER has given malware the same name as an existing file on the file share server to cause users to unwittingly launch and install the malware on additional systems.[17]

Calisto

Calisto's installation file is an unsigned DMG image under the guise of Intego’s security solution for mac.[18]

Carbanak

Carbanak malware names itself "svchost.exe," which is the name of the Windows shared service host program.[19]

Catchamas

Catchamas adds a new service named NetAdapter in an apparent attempt to masquerade as a legitimate service.[20]

ChChes

ChChes copies itself to an .exe file with a filename that is likely intended to imitate Norton Antivirus but has several letters reversed (e.g. notron.exe).[21]

CozyCar

The CozyCar dropper has masqueraded a copy of the infected system's rundll32.exe executable that was moved to the malware's install directory and renamed according to a predefined configuration file.[6]

DarkComet

DarkComet has dropped itself onto victim machines with file names such as WinDefender.Exe and winupdate.exe in an apparent attempt to masquerade as legitimate.[22]

Daserf

Daserf uses file and folder names related to legitimate programs in order to blend in, such as HP, Intel, Adobe, and perflogs.[23]

Dragonfly 2.0

Dragonfly 2.0 created accounts disguised as legitimate backup and service accounts as well as an email administration account.[24][25]

Elise

If installing itself as a service fails, Elise instead writes itself as a file named svchost.exe saved in %APPDATA%\Microsoft\Network.[26]

Exaramel

The Exaramel dropper creates and starts a Windows service named wsmprovav with the description "Windows Check AV" in an apparent attempt to masquerade as a legitimate service.[27]

Felismus

Felismus has masqueraded as legitimate Adobe Content Management System files.[28]

FIN6

FIN6 has renamed the "psexec" service name to "mstdc" to masquerade as a legitimate Windows executable. [29]

FIN7

FIN7 has created a scheduled task named "AdobeFlashSync" to establish persistence.[30]

FinFisher

FinFisher renames one of its .dll files to uxtheme.dll in an apparent attempt to masquerade as a legitimate file.[31][32]

HTTPBrowser

HTTPBrowser's installer contains a malicious file named navlu.dll to decrypt and run the RAT. navlu.dll is also the name of a legitimate Symantec DLL.[33]

InnaputRAT

InnaputRAT variants have attempted to appear legitimate by using the file names SafeApp.exe and NeutralApp.exe, as well as by adding a new service named OfficeUpdateService.[34]

InvisiMole

InvisiMole saves one of its files as mpr.dll in the Windows folder, masquerading as a legitimate library file.[35]

Ixeshe

Ixeshe has used registry values and file names associated with Adobe software, such as AcroRd32.exe.[36]

Ke3chang

Ke3chang has used the right-to-left override character in spearphishing attachment names to trick targets into executing .scr and .exe files.[37]

KONNI

KONNI creates a shortcut called "Anti virus service.lnk" in an apparent attempt to masquerade as a legitimate file.[38]

Kwampirs

Kwampirs establishes persistence by adding a new service with the display name "WMI Performance Adapter Extension" in an attempt to masquerade as a legitimate WMI service.[39]

LightNeuron

LightNeuron has used filenames associated with Exchange and Outlook for binary and configuration files, such as winmail.dat.[40]

menuPass

menuPass has been seen changing malicious files to appear legitimate. They have also renamed certutil and move it to a different location on system to avoid detection based on use of the tool.[41][1]

Mis-Type

Mis-Type saves itself as a file named msdtc.exe, which is also the name of the legitimate Microsoft Distributed Transaction Coordinator service.[42][43]

Misdat

Misdat saves itself as a file named msdtc.exe, which is also the name of the legitimate Microsoft Distributed Transaction Coordinator service.[42][43]

MuddyWater

MuddyWater has used filenames and Registry key names associated with Windows Defender. The group has also stored obfuscated JavaScript code in an image file named temp.jpg.[44][45][46]

Nidiran

Nidiran can create a new service named msamger (Microsoft Security Accounts Manager), which mimics the legitimate Microsoft database by the same name.[47][48]

NOKKI

NOKKI is written to %LOCALAPPDATA%\MicroSoft Updatea\svServiceUpdate.exe prior being executed in a new process in an apparent attempt to masquerade as a legitimate folder and file.[49]

NotPetya

NotPetya drops PsExec with the filename dllhost.dat.[50]

OLDBAIT

OLDBAIT installs itself in %ALLUSERPROFILE%\Application Data\Microsoft\MediaPlayer\updatewindws.exe; the directory name is missing a space and the file name is missing the letter "o."[51]

OwaAuth

OwaAuth uses the filename owaauth.dll, which is a legitimate file that normally resides in %ProgramFiles%\Microsoft\Exchange Server\ClientAccess\Owa\Auth\; the malicious file by the same name is saved in %ProgramFiles%\Microsoft\Exchange Server\ClientAccess\Owa\bin\.[52]

Patchwork

Patchwork installed its payload in the startup programs folder as "Baidu Software Update." The group also adds its second stage payload to the startup programs as "Net Monitor."[53]

PLATINUM

PLATINUM has renamed rar.exe to avoid detection.[54]

PlugX

In one instance, menuPass added PlugX as a service with a display name of "Corel Writing Tools Utility."[55]

Poseidon Group

Poseidon Group tools attempt to spoof anti-virus processes as a means of self-defense.[56]

POWERSTATS

POWERSTATS has created a scheduled task named "MicrosoftEdge" to establish persistence.[46]

PUNCHBUGGY

PUNCHBUGGY mimics filenames from %SYSTEM%\System32 to hide DLLs in %WINDIR% and/or %TEMP%.[57][58]

QUADAGENT

QUADAGENT used the PowerShell filenames Office365DCOMCheck.ps1 and SystemDiskClean.ps1.[59]

QuasarRAT

QuasarRAT has dropped binaries as files named microsoft_network.exe and crome.exe.[60]

RawPOS

New services created by RawPOS are made to appear like legitimate Windows services, with names such as "Windows Management Help Service", "Microsoft Support", and "Windows Advanced Task Manager".[61][62][63]

Remsec

The Remsec loader implements itself with the name Security Support Provider, a legitimate Windows function. Various Remsec .exe files mimic legitimate file names used by Microsoft, Symantec, Kaspersky, Hewlett-Packard, and VMWare. Remsec also disguised malicious modules using similar filenames as custom network encryption software on victims.[64][65]

S-Type

S-Type may save itself as a file named msdtc.exe, which is also the name of the legitimate Microsoft Distributed Transaction Coordinator service.[42][43]

Scarlet Mimic

Scarlet Mimic has used the left-to-right override character in self-extracting RAR archive spearphishing attachment file names.[66]

Seasalt

Seasalt has masqueraded as a service called "SaSaut" with a display name of "System Authorization Service" in an apparent attempt to masquerade as a legitimate service.[12]

Shamoon

Shamoon creates a new service named "ntssrv" that attempts to appear legitimate; the service's display name is "Microsoft Network Realtime Inspection Service" and its description is "Helps guard against time change attempts targeting known and newly discovered vulnerabilities in network time protocols."[67]

Soft Cell

Soft Cell used a renamed cmd.exe file to evade detection.[68]

Sowbug

Sowbug named its tools to masquerade as Windows or Adobe Reader software, such as by using the file name adobecms.exe and the directory CSIDL_APPDATA\microsoft\security.[69]

SslMM

To establish persistence, SslMM identifies the Start Menu Startup directory and drops a link to its own executable disguised as an "Office Start," "Yahoo Talk," "MSN Gaming Z0ne," or "MSN Talk" shortcut.[70]

Starloader

Starloader has masqueraded as legitimate software update packages such as Adobe Acrobat Reader and Intel.[69]

TEMP.Veles

TEMP.Veles has performed a variety of methods to look like valid users, including renaming files and mimicking legitimate administrator activities.
[71]

Truvasys

To establish persistence, Truvasys adds a Registry Run key with a value "TaskMgr" in an attempt to masquerade as the legitimate Windows Task Manager.[72]

Ursnif

Ursnif has used strings from legitimate system files and existing folders for its file, folder, and Registry entry names.[73]

USBStealer

USBStealer mimics a legitimate Russian program called USB Disk Security.[74]

Volgmer

Some Volgmer variants add new services with display names generated by a list of hard-coded strings such as Application, Background, Security, and Windows, presumably as a way to masquerade as a legitimate service.[75][76]

Winnti

A Winnti implant file was named ASPNET_FILTER.DLL, mimicking the legitimate ASP.NET ISAPI filter DLL with the same name.[77]

yty

yty contains several references to football (including "football," "score," "ball," and "loose") in a likely attempt to disguise its traffic.[78]

ZLib

ZLib mimics the resource version information of legitimate Realtek Semiconductor, Nvidia, or Synaptics modules.[42]

Detection

Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Likewise, files that are modified outside of an update or patch are suspect.

If file names are mismatched between the file name on disk and that of the binary's PE metadata, this is a likely indicator that a binary was renamed after it was compiled. Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and/or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity. [5] Do not focus on the possible names a file could have, but instead on the command-line arguments that are known to be used and are distinct because it will have a better rate of detection.[79]

For RTLO, detection methods should include looking for common formats of RTLO characters within filenames such as "\u202E", "[U+202E]", and "%E2%80%AE". Defenders should also check their analysis tools to ensure they do not interpret the RTLO character and instead print the true name of the a file containing it.

References

  1. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.
  2. Security Ninja. (2015, April 16). Spoof Using Right to Left Override (RTLO) Technique. Retrieved April 22, 2019.
  3. Alintanahin, K.. (2014, May 23). PLEAD Targeted Attacks Against Taiwanese Government Agencies. Retrieved April 22, 2019.
  4. Firsh, A.. (2018, February 13). Zero-day vulnerability in Telegram - Cybercriminals exploited Telegram flaw to launch multipurpose attacks. Retrieved April 22, 2019.
  5. Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball. Retrieved October 31, 2016.
  6. F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015.
  7. Michal Malik AND Marc-Etienne M.Léveillé. (2016, March 30). Meet Remaiten – a Linux bot on steroids targeting routers and potentially other IoT devices. Retrieved September 7, 2017.
  8. Bryan Lee and Rob Downs. (2016, February 12). A Look Into Fysbis: Sofacy’s Linux Backdoor. Retrieved September 10, 2017.
  9. Doctor Web. (2014, November 21). Linux.BackDoor.Fysbis.1. Retrieved December 7, 2017.
  10. FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.
  11. Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
  12. Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.
  13. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
  14. Carr, N.. (2017, December 26). Nick Carr Status Update APT32 pubprn. Retrieved April 22, 2019.
  15. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  16. Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018.
  17. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  18. Kuzin, M., Zelensky S. (2018, July 20). Calisto Trojan for macOS. Retrieved September 7, 2018.
  19. Kaspersky Lab's Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved August 23, 2018.
  20. Balanza, M. (2018, April 02). Infostealer.Catchamas. Retrieved July 10, 2018.
  21. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  22. TrendMicro. (2014, September 03). DARKCOMET. Retrieved November 6, 2018.
  23. DiMaggio, J. (2016, April 28). Tick cyberespionage group zeros in on Japan. Retrieved July 16, 2018.
  24. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  25. US-CERT. (2017, October 20). Alert (TA17-293A): Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved November 2, 2017.
  26. Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.
  27. Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018.
  28. Somerville, L. and Toro, A. (2017, March 30). Playing Cat & Mouse: Introducing the Felismus Malware. Retrieved November 16, 2017.
  29. McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.
  30. Gorelik, M.. (2017, June 9). FIN7 Takes Another Bite at the Restaurant Industry. Retrieved July 13, 2017.
  31. FinFisher. (n.d.). Retrieved December 20, 2017.
  32. Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018.
  33. Desai, D.. (2015, August 14). Chinese cyber espionage APT group leveraging recently leaked Hacking Team exploits to target a Financial Services Firm. Retrieved January 26, 2016.
  34. ASERT Team. (2018, April 04). Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files. Retrieved July 9, 2018.
  35. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  36. Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019.
  37. Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.
  38. Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018.
  39. Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018.
  40. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.
  1. United States District Court Southern District of New York (USDC SDNY) . (2018, December 17). United States of America v. Zhu Hua and Zhang Shilong. Retrieved April 17, 2019.
  2. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved September 19, 2017.
  3. Microsoft. (2011, January 12). Distributed Transaction Coordinator. Retrieved February 25, 2016.
  4. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
  5. Adamitis, D. et al. (2019, May 20). Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques. Retrieved June 5, 2019.
  6. ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.
  7. Sponchioni, R.. (2016, March 11). Backdoor.Nidiran. Retrieved August 3, 2016.
  8. Microsoft. (2006, October 30). How to use the SysKey utility to secure the Windows Security Accounts Manager database. Retrieved August 3, 2016.
  9. Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018.
  10. Chiu, A. (2016, June 27). New Ransomware Variant "Nyetya" Compromises Systems Worldwide. Retrieved March 26, 2019.
  11. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
  12. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
  13. Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016.
  14. Carr, N.. (2018, October 25). Nick Carr Status Update. Retrieved April 22, 2019.
  15. FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.
  16. Kaspersky Lab's Global Research and Analysis Team. (2016, February 9). Poseidon Group: a Targeted Attack Boutique specializing in global cyber-espionage. Retrieved March 16, 2016.
  17. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  18. Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019.
  19. Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.
  20. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.
  21. Nesbit, B. and Ackerman, D. (2017, January). Malware Analysis Report - RawPOS Malware: Deconstructing an Intruder’s Toolkit. Retrieved October 4, 2017.
  22. TrendLabs Security Intelligence Blog. (2015, April). RawPOS Technical Brief. Retrieved October 4, 2017.
  23. Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017.
  24. Symantec Security Response. (2016, August 8). Backdoor.Remsec indicators of compromise. Retrieved August 17, 2016.
  25. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Retrieved August 17, 2016.
  26. Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.
  27. Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.
  28. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
  29. Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017.
  30. Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019.
  31. Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019.
  32. Microsoft. (2017, September 15). Backdoor:Win32/Truvasys.A!dha. Retrieved November 30, 2017.
  33. Caragay, R. (2015, March 26). URSNIF: The Multifaceted Malware. Retrieved June 5, 2019.
  34. Calvet, J. (2014, November 11). Sednit Espionage Group Attacking Air-Gapped Networks. Retrieved January 4, 2017.
  35. US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018.
  36. Yagi, J. (2014, August 24). Trojan.Volgmer. Retrieved July 16, 2018.
  37. Cap, P., et al. (2017, January 25). Detecting threat actors in recent German industrial attacks with Windows Defender ATP. Retrieved February 8, 2017.
  38. Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018.
  39. Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading. Retrieved April 22, 2019.