Lazarus Group has disguised malicious template files as JPEG files to avoid detection. Kimsuky has disguised its C2 addresses as the websites of shopping malls, governments, universities, and others. įoggyWeb can masquerade the output of C2 commands as a fake, but legitimately formatted WebP file. įlagpro can download malicious files with a. įatDuke has attempted to mimic a compromised user's traffic by using the same user agent as the installed browser. ĮnvyScout has used folder icons for malicious files to lure victims into opening them. ĭragonfly has created accounts disguised as legitimate backup and service accounts as well as an email administration account. ĭarkWatchman has used an icon mimicking a text file to mask a malicious executable. The Dacls Mach-O binary has been disguised as a. ĭuring C0015, the threat actors named a binary file compareForfor.jpg to disguise it as a JPG file. īRONZE BUTLER has masked executables with document file icons including Word and Adobe PDF. īoomBox has the ability to mask malicious data strings as PDF files. jpg extension that contained a malicious Visual Basic script. ĪPT32 has disguised a Cobalt Strike beacon as a Flash Installer. They have also used IP addresses originating from the same country as the victim for their VPN infrastructure. ĪPT29 has set the hostnames of its C2 infrastructure to match legitimate hostnames in the victim environment. ![]() ĪPT28 has renamed the WinRAR utility to avoid detection. ![]() AppleSeed can disguise JavaScript files as PDFs.
0 Comments
Leave a Reply. |