Masquerading: Match Legitimate Name or Location

Adversaries may match or approximate the name or location of legitimate files when naming/placing their files. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). Alternatively, the filename given may be a close approximation of legitimate programs or something innocuous.

Adversaries may also use the same icon of the file they are trying to mimic.

ID: T1036.005
Sub-technique of:  T1036
Tactic: Defense Evasion
Platforms: Linux, Windows, macOS
Data Sources: Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Defense Bypassed: Application control by file name or path
CAPEC ID: CAPEC-177
Version: 1.0
Created: 10 February 2020
Last Modified: 20 June 2020

Procedure Examples

Name Description
admin@338

admin@338 actors used the following command to rename one of their tools to a benign file name: ren "%temp%\upload" audiodg.exe[50]

APT1

The file name AcroRD32.exe, a legitimate process name for Adobe's Acrobat Reader, was used by APT1 as a name for malware.[51][52]

APT32

APT32 has renamed a NetCat binary to kb-10233.exe to masquerade as a Windows update. APT32 has also renamed a Cobalt Strike beacon payload to install_flashplayers.exe. [43]

APT39

APT39 has used a tool named mfevtpse.exe to proxy C2 communications, closely mimicking a legitimate McAfee file mfevtps.exe.[62]

APT41

APT41 attempted to masquerade their files as popular anti-virus software.[57]

BackConfig

BackConfig has hidden malicious payloads in %USERPROFILE%\Adobe\Driver\dwg\ and mimicked the legitimate DHCP service binary.[42]

BADNEWS

BADNEWS attempts to hide its payloads using legitimate filenames.[23]

Blue Mockingbird

Blue Mockingbird has masqueraded their XMRIG payload name by naming it wercplsupporte.dll after the legitimate wercplsupport.dll file.[61]

BRONZE BUTLER

BRONZE BUTLER has given malware the same name as an existing file on the file share server to cause users to unwittingly launch and install the malware on additional systems.[48]

Bundlore

Bundlore has disguised a malicious .app file as a Flash Player update.[44]

Calisto

Calisto's installation file is an unsigned DMG image under the guise of Intego’s security solution for mac.[3]

Carbanak

Carbanak has named malware "svchost.exe," which is the name of the Windows shared service host program.[47]

ChChes

ChChes copies itself to an .exe file with a filename that is likely intended to imitate Norton Antivirus but has several letters reversed (e.g. notron.exe).[6]

DarkComet

DarkComet has dropped itself onto victim machines with file names such as WinDefender.Exe and winupdate.exe in an apparent attempt to masquerade as a legitimate file.[28]

Daserf

Daserf uses file and folder names related to legitimate programs in order to blend in, such as HP, Intel, Adobe, and perflogs.[21]

Elise

If installing itself as a service fails, Elise instead writes itself as a file named svchost.exe saved in %APPDATA%\Microsoft\Network.[4]

Felismus

Felismus has masqueraded as legitimate Adobe Content Management System files.[9]

FinFisher

FinFisher renames one of its .dll files to uxtheme.dll in an apparent attempt to masquerade as a legitimate file.[24][25]

Fysbis

Fysbis has masqueraded as trusted software rsyncd and dbus-inotifier.[34]

Goopy

Goopy has impersonated the legitimate goopdate.dll, which was dropped on the target system with a legitimate GoogleUpdate.exe.[43]

HTTPBrowser

HTTPBrowser's installer contains a malicious file named navlu.dll to decrypt and run the RAT. navlu.dll is also the name of a legitimate Symantec DLL.[5]

InnaputRAT

InnaputRAT variants have attempted to appear legitimate by using the file names SafeApp.exe and NeutralApp.exe.[19]

InvisiMole

InvisiMole saves one of its files as mpr.dll in the Windows folder, masquerading as a legitimate library file.[10]

Ixeshe

Ixeshe has used registry values and file names associated with Adobe software, such as AcroRd32.exe.[30]

KONNI

KONNI creates a shortcut called "Anti virus service.lnk" in an apparent attempt to masquerade as a legitimate file.[20]

LightNeuron

LightNeuron has used filenames associated with Exchange and Outlook for binary and configuration files, such as winmail.dat.[31]

Machete

Machete renamed payloads to masquerade as legitimate Google Chrome, Java, Dropbox, Adobe Reader and Python executables.[35]

MechaFlounder

MechaFlounder has been downloaded as a file named lsass.exe, which matches the legitimate Windows file.[38]

menuPass

menuPass has been seen changing malicious files to appear legitimate.[56]

Metamorfo

Metamorfo has disguised an MSI file as the Adobe Acrobat Reader Installer.[41]

Mis-Type

Mis-Type saves itself as a file named msdtc.exe, which is also the name of the legitimate Microsoft Distributed Transaction Coordinator service binary.[13][14]

Misdat

Misdat saves itself as a file named msdtc.exe, which is also the name of the legitimate Microsoft Distributed Transaction Coordinator service binary.[13][14]

MuddyWater

MuddyWater has used filenames and Registry key names associated with Windows Defender.[45][46]

NOKKI

NOKKI is written to %LOCALAPPDATA%\MicroSoft Updatea\svServiceUpdate.exe prior being executed in a new process in an apparent attempt to masquerade as a legitimate folder and file.[22]

OLDBAIT

OLDBAIT installs itself in %ALLUSERPROFILE%\Application Data\Microsoft\MediaPlayer\updatewindws.exe; the directory name is missing a space and the file name is missing the letter "o."[26]

OSX/Shlayer

OSX/Shlayer can masquerade as a Flash Player update.[32][33]

OwaAuth

OwaAuth uses the filename owaauth.dll, which is a legitimate file that normally resides in %ProgramFiles%\Microsoft\Exchange Server\ClientAccess\Owa\Auth\; the malicious file by the same name is saved in %ProgramFiles%\Microsoft\Exchange Server\ClientAccess\Owa\bin\.[15]

Patchwork

Patchwork installed its payload in the startup programs folder as "Baidu Software Update." The group also adds its second stage payload to the startup programs as "Net Monitor."[53] They have also dropped QuasarRAT binaries as files named microsoft_network.exe and crome.exe.[54]

Pony

Pony has used the Adobe Reader icon for the downloaded file to look more trustworthy.[37]

Poseidon Group

Poseidon Group tools attempt to spoof anti-virus processes as a means of self-defense.[49]

PUNCHBUGGY

PUNCHBUGGY mimics filenames from %SYSTEM%\System32 to hide DLLs in %WINDIR% and/or %TEMP%.[16][17]

QUADAGENT

QUADAGENT used the PowerShell filenames Office365DCOMCheck.ps1 and SystemDiskClean.ps1.[27]

Ramsay

Ramsay has masqueraded as a 7zip installer.[39]

Remsec

The Remsec loader implements itself with the name Security Support Provider, a legitimate Windows function. Various Remsec .exe files mimic legitimate file names used by Microsoft, Symantec, Kaspersky, Hewlett-Packard, and VMWare. Remsec also disguised malicious modules using similar filenames as custom network encryption software on victims.[11][12]

Rocke

Rocke has used shell scripts which download mining executables and saves them with the filename "java".[64]

Ryuk

Ryuk has constructed legitimate appearing installation folder paths by calling GetWindowsDirectoryW and then inserting a null byte at the fourth character of the path. For Windows Vista or higher, the path would appear as C:\Users\Public.[36]

S-Type

S-Type may save itself as a file named msdtc.exe, which is also the name of the legitimate Microsoft Distributed Transaction Coordinator service binary.[13][14]

Sandworm Team

Sandworm Team has avoided detection by naming a malicious binary explorer.exe.[63]

ShimRatReporter

ShimRatReporter spoofed itself as AlphaZawgyl_font.exe, a specialized Unicode font.[1]

Silence

Silence has named its backdoor "WINWORD.exe".[58]

Skidmap

Skidmap has created a fake rm binary to replace the legitimate Linux binary.[40]

Sowbug

Sowbug named its tools to masquerade as Windows or Adobe Reader software, such as by using the file name adobecms.exe and the directory CSIDL_APPDATA\microsoft\security.[18]

SslMM

To establish persistence, SslMM identifies the Start Menu Startup directory and drops a link to its own executable disguised as an "Office Start," "Yahoo Talk," "MSN Gaming Z0ne," or "MSN Talk" shortcut.[2]

Starloader

Starloader has masqueraded as legitimate software update packages such as Adobe Acrobat Reader and Intel.[18]

TEMP.Veles

TEMP.Veles has renamed files to look like legitimate files, such as Windows update files or Schneider Electric application files.[55]

Tropic Trooper

Tropic Trooper has hidden payloads in Flash directories and fake installer files.[59]

Ursnif

Ursnif has used strings from legitimate system files and existing folders for its file, folder, and Registry entry names.[29]

USBStealer

USBStealer mimics a legitimate Russian program called USB Disk Security.[8]

Whitefly

Whitefly has named the malicious DLL the same name as DLLs belonging to legitimate software from various security vendors.[60]

Winnti for Windows

A Winnti for Windows implant file was named ASPNET_FILTER.DLL, mimicking the legitimate ASP.NET ISAPI filter DLL with the same name.[7]

ZLib

ZLib mimics the resource version information of legitimate Realtek Semiconductor, Nvidia, or Synaptics modules.[13]

Mitigations

Mitigation Description
Code Signing

Require signed binaries.

Execution Prevention

Use tools that restrict program execution via application control by attributes other than file name for common operating system utilities that are needed.

Restrict File and Directory Permissions

Use file system access controls to protect folders such as C:\Windows\System32.

Detection

Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Likewise, files that are modified outside of an update or patch are suspect.

If file names are mismatched between the file name on disk and that of the binary's PE metadata, this is a likely indicator that a binary was renamed after it was compiled. Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and/or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity. [65] Do not focus on the possible names a file could have, but instead on the command-line arguments that are known to be used and are distinct because it will have a better rate of detection.[66]

References

  1. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
  2. Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019.
  3. Kuzin, M., Zelensky S. (2018, July 20). Calisto Trojan for macOS. Retrieved September 7, 2018.
  4. Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.
  5. Desai, D.. (2015, August 14). Chinese cyber espionage APT group leveraging recently leaked Hacking Team exploits to target a Financial Services Firm. Retrieved January 26, 2016.
  6. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  7. Cap, P., et al. (2017, January 25). Detecting threat actors in recent German industrial attacks with Windows Defender ATP. Retrieved February 8, 2017.
  8. Calvet, J. (2014, November 11). Sednit Espionage Group Attacking Air-Gapped Networks. Retrieved January 4, 2017.
  9. Somerville, L. and Toro, A. (2017, March 30). Playing Cat & Mouse: Introducing the Felismus Malware. Retrieved November 16, 2017.
  10. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  11. Symantec Security Response. (2016, August 8). Backdoor.Remsec indicators of compromise. Retrieved August 17, 2016.
  12. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Retrieved August 17, 2016.
  13. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved September 19, 2017.
  14. Microsoft. (2011, January 12). Distributed Transaction Coordinator. Retrieved February 25, 2016.
  15. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
  16. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  17. Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019.
  18. Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017.
  19. ASERT Team. (2018, April 04). Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files. Retrieved July 9, 2018.
  20. Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018.
  21. DiMaggio, J. (2016, April 28). Tick cyberespionage group zeros in on Japan. Retrieved July 16, 2018.
  22. Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018.
  23. Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018.
  24. FinFisher. (n.d.). Retrieved December 20, 2017.
  25. Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018.
  26. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
  27. Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.
  28. TrendMicro. (2014, September 03). DARKCOMET. Retrieved November 6, 2018.
  29. Caragay, R. (2015, March 26). URSNIF: The Multifaceted Malware. Retrieved June 5, 2019.
  30. Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019.
  31. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.
  32. Carbon Black Threat Analysis Unit. (2019, February 12). New macOS Malware Variant of Shlayer (OSX) Discovered. Retrieved August 8, 2019.
  33. Long, Joshua. (2018, February 21). OSX/Shlayer: New Mac malware comes out of its shell. Retrieved August 28, 2019.
  1. Doctor Web. (2014, November 21). Linux.BackDoor.Fysbis.1. Retrieved December 7, 2017.
  2. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
  3. Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.
  4. hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020.
  5. Falcone, R. (2019, March 4). New Python-Based Payload MechaFlounder Used by Chafer. Retrieved May 27, 2020.
  6. Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020.
  7. Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020.
  8. Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020.
  9. Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020.
  10. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  11. Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020.
  12. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
  13. Adamitis, D. et al. (2019, May 20). Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques. Retrieved June 5, 2019.
  14. Kaspersky Lab's Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved August 23, 2018.
  15. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  16. Kaspersky Lab's Global Research and Analysis Team. (2016, February 9). Poseidon Group: a Targeted Attack Boutique specializing in global cyber-espionage. Retrieved March 16, 2016.
  17. FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.
  18. Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
  19. Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.
  20. Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016.
  21. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.
  22. Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019.
  23. United States District Court Southern District of New York (USDC SDNY) . (2018, December 17). United States of America v. Zhu Hua and Zhang Shilong. Retrieved April 17, 2019.
  24. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
  25. Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020.
  26. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
  27. Symantec. (2019, March 6). Whitefly: Espionage Group has Singapore in Its Sights. Retrieved May 26, 2020.
  28. Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020.
  29. Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020.
  30. Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020.
  31. Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020.
  32. Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball. Retrieved October 31, 2016.
  33. Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading. Retrieved April 22, 2019.