In one instance, menuPass added PlugX as a service with a display name of "Corel Writing Tools Utility." PingPull can mimic the names and descriptions of legitimate services such as iphlpsvc, IP Helper, and Onedrive to evade detection. OSX_OCEANLOTUS.D has disguised its app bundle by adding special characters to the filename and using the icon for legitimate Word documents. Okrum can establish persistence by adding a new service NtmsSvc with the display name Removable Storage to masquerade as a legitimate Removable Storage Manager. Nidiran can create a new service named msamger (Microsoft Security Accounts Manager), which mimics the legitimate Microsoft database by the same name. Nebulae has created a service named "Windows Update Agent1" to appear legitimate. Naikon renamed a malicious service taskmgr to appear to be a legitimate version of Task Manager. Meteor has been disguised as the Windows Power Efficiency Diagnostics report tool. Maze operators have created scheduled tasks masquerading as "Windows Update Security", "Windows Update Security Patches", and "Google Chrome Security Update" designed to launch the ransomware. Machete renamed task names to masquerade as legitimate Google Chrome, Java, Dropbox, Adobe Reader and Python tasks. Lazarus Group has used a scheduled task named SRCheck to mask the execution of a malicious. Kwampirs establishes persistence by adding a new service with the display name "WMI Performance Adapter Extension" in an attempt to masquerade as a legitimate WMI service. KONNI has pretended to be the xmlProv Network Provisioning service. Kimsuky has disguised services to appear as benign software or related to operating system functions. KillDisk registers as a service under the Plug-And-Play Support name. IronNetInjector has been disguised as a legitimate service using the name PythonUpdateSrvc. InvisiMole has attempted to disguise itself by registering under a seemingly legitimate service name. InnaputRAT variants have attempted to appear legitimate by adding a new service named OfficeUpdateService. Hildegard has disguised itself as a known Linux process. Higaisa named a shellcode loader binary svchast.exe to spoof the legitimate svchost.exe. Heyoka Backdoor has been named srvdll.dll to appear as a legitimate service. Green Lambert has created a new executable named Software Update Check to appear legitimate. GoldMax has impersonated systems management software to avoid detection. įysbis has masqueraded as the rsyncd and dbus-inotifier services. įunnyDream has used a service named WSearch for execution. ĭuring Frankenstein, the threat actors named a malicious scheduled task "WinUpdate" for persistence. įox Kitten has named the task for a reverse proxy lpupdate to appear legitimate. įIN7 has created a scheduled task named "AdobeFlashSync" to establish persistence. įIN6 has renamed the "psexec" service name to "mstdc" to masquerade as a legitimate Windows service. The Exaramel for Windows dropper creates and starts a Windows service named wsmprovav with the description "Windows Check AV" in an apparent attempt to masquerade as a legitimate service. Įgregor has masqueraded the svchost.exe process to exfiltrate data. ĭCSrv has masqueraded its service as a legitimate svchost.exe process. ĬSPY Downloader has attempted to appear as a legitimate Windows service with a fake description claiming it is used to support packed applications. Ĭrutch has established persistence with a scheduled task impersonating the Outlook item finder. ĬomRAT has used a task name associated with Windows SQM Consolidator. Ĭatchamas adds a new service named NetAdapter in an apparent attempt to masquerade as a legitimate service. Ĭarbanak has copied legitimate service names to use for malicious services. īuild_downer has added itself to the Registry Run key as "NVIDIA" to appear legitimate. īITTER has disguised malware as a Windows Security update service. ![]() īazar can create a task named to appear benign. īackdoorDiplomacy has disguised their backdoor droppers with naming conventions designed to blend into normal operations. Īttor's dispatcher disguises itself as a legitimate task (i.e., the task name and description appear legitimate). ĪPT41 has created services to appear as benign system tools. APT32 has also impersonated the legitimate Flash installer file name "install_flashplayer.exe". ĪPT32 has used hidden or non-printing characters to help masquerade service names, such as appending a Unicode no-break space character to a legitimate service name. ĪPT29 named tasks \Microsoft\Windows\SoftwareProtectionPlatform\EventCacheManager in order to appear legitimate. APT-C-36 has disguised its scheduled tasks as those used by Google.
0 Comments
Leave a Reply. |