Symantec antivirus update5/28/2023 ![]() Ĭarbanak has named malware "svchost.exe," which is the name of the Windows shared service host program. ![]() Ĭalisto's installation file is an unsigned DMG image under the guise of Intego’s security solution for mac. īumblebee has named component DLLs "RapportGP.dll" to match those used by the security company Trusteer. īRONZE BUTLER has given malware the same name as an existing file on the file share server to cause users to unwittingly launch and install the malware on additional systems. īlue Mockingbird has masqueraded their XMRIG payload name by naming it wercplsupporte.dll after the legitimate wercplsupport.dll file. īLINDINGCAN has attempted to hide its payload by using legitimate file names such as "iconcache.db". īisonal has renamed malicious code to msacm32.dll to hide within a legitimate library earlier versions were disguised as winhelp. The Bazar loader has named malicious shortcuts "adobe" and mimicked communications software. īADNEWS attempts to hide its payloads using legitimate filenames. īad Rabbit has masqueraded as a Flash Player installer through the executable file install_flash_player.exe. īackdoorDiplomacy has dropped implants in folders named for legitimate software. īackConfig has hidden malicious payloads in %USERPROFILE%\Adobe\Driver\dwg\ and mimicked the legitimate DHCP service binary. ĪPT41 attempted to masquerade their files as popular anti-virus software. ĪPT39 has used malware disguised as Mozilla Firefox and a tool named mfevtpse.exe to proxy C2 communications, closely mimicking a legitimate McAfee file mfevtps.exe. APT32 has also renamed a Cobalt Strike beacon payload to install_flashplayers.exe. ĪPT32 has renamed a NetCat binary to kb-10233.exe to masquerade as a Windows update. ĪPT29 renamed software and DLL's with legitimate names to appear benign. ĪPT28 has changed extensions on files containing exfiltrated data to make them appear benign, and renamed a web shell instance to appear as a legitimate OWA page. The file name AcroRD32.exe, a legitimate process name for Adobe's Acrobat Reader, was used by APT1 as a name for malware. ![]() ĪppleSeed has the ability to rename its payload to ESTCommon.dll to masquerade as a DLL belonging to ESTsecurity. Live Version Procedure Examples actors used the following command to rename one of their tools to a benign file name: ren "%temp%\upload" audiodg.exe Īoqin Dragon has used fake icons including antivirus and external drives to disguise malicious payloads. ![]()
0 Comments
Leave a Reply. |