LazyScripter has used several different security software icons to disguise executables. Kimsuky has disguised its C2 addresses as the websites of shopping malls, governments, universities, and others. įoggyWeb can masquerade the output of C2 commands as a fake, but legitimately formatted WebP file. įlagpro can download malicious files with a. įatDuke has attempted to mimic a compromised user's traffic by using the same user agent as the installed browser. ĮnvyScout has used folder icons for malicious files to lure victims into opening them.
ĭragonfly has created accounts disguised as legitimate backup and service accounts as well as an email administration account. ĭarkWatchman has used an icon mimicking a text file to mask a malicious executable. ĭarkTortilla's payload has been renamed PowerShellInfo.exe. The Dacls Mach-O binary has been disguised as a. ĭuring C0018, AvosLocker was disguised using the victim company name as the filename. ĭuring C0015, the threat actors named a binary file compareForfor.jpg to disguise it as a JPG file. īRONZE BUTLER has masked executables with document file icons including Word and Adobe PDF.
FLASH INSTALLER PDF
īoomBox has the ability to mask malicious data strings as PDF files. jpg extension that contained a malicious Visual Basic script. ĪPT32 has disguised a Cobalt Strike beacon as a Flash Installer. ĪPT28 has renamed the WinRAR utility to avoid detection. AppleSeed can disguise JavaScript files as PDFs.
0 kommentar(er)
