Masquerading: Masquerade Task or Service, Sub-technique T1036.004 - Enterprise (original) (raw)
2022 Ukraine Electric Power Attack
During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Systemd service units to masquerade GOGETTER malware as legitimate or seemingly legitimate services.[5]
APT-C-36 has disguised its scheduled tasks as those used by Google.[6]
APT32 has used hidden or non-printing characters to help masquerade service names, such as appending a Unicode no-break space character to a legitimate service name. APT32 has also impersonated the legitimate Flash installer file name "install_flashplayer.exe".[7]
APT41 has created services to appear as benign system tools.[8]
APT41 DUST disguised DUSTPAN as a legitimate Windows binary such as w3wp.exe or conn.exe.[9]
Aquatic Panda created new, malicious services using names such as Windows User Service to attempt to blend in with legitimate items on victim systems.[10]
Attor's dispatcher disguises itself as a legitimate task (i.e., the task name and description appear legitimate).[11]
BackdoorDiplomacy has disguised their backdoor droppers with naming conventions designed to blend into normal operations.[12]
Bazar can create a task named to appear benign.[13]
BITTER has disguised malware as a Windows Security update service.[14]
Black Basta has established persistence by creating a new service named FAX after deleting the legitimate service by the same name.[15][16][17]
BOOKWORM has created services that attempt to resemble legitimate services to include a service named Microsoft Windows DeviceSync Service.[18]
build_downer has added itself to the Registry Run key as "NVIDIA" to appear legitimate.[19]
During C0017, APT41 used SCHTASKS /Change to modify legitimate scheduled tasks to run malicious code.[20]
Carbanak has copied legitimate service names to use for malicious services.[21]
Catchamas adds a new service named NetAdapter in an apparent attempt to masquerade as a legitimate service.[22]
ComRAT has used a task name associated with Windows SQM Consolidator.[23]
Crutch has established persistence with a scheduled task impersonating the Outlook item finder.[24]
CSPY Downloader has attempted to appear as a legitimate Windows service with a fake description claiming it is used to support packed applications.[25]
DCSrv has masqueraded its service as a legitimate svchost.exe process.[26]
DEADEYE has used schtasks /change to modify scheduled tasks including \Microsoft\Windows\PLA\Server Manager Performance Monitor, \Microsoft\Windows\Ras\ManagerMobility, \Microsoft\Windows\WDI\SrvSetupResults, and \Microsoft\Windows\WDI\USOShared.[20]
DEADWOOD will attempt to masquerade its service execution using benign-looking names such as ScDeviceEnums.[27]
Egregor has masqueraded the svchost.exe process to exfiltrate data.[28]
Emotet has installed itself as a new service with the service name Windows Defender System Service and display name WinDefService.[29]
The Exaramel for Windows dropper creates and starts a Windows service named wsmprovav with the description "Windows Check AV" in an apparent attempt to masquerade as a legitimate service.[30]
FIN13 has used scheduled tasks names such as acrotyr and AppServicesr to mimic the same names in a compromised network's C:\Windows directory.[31]
FIN6 has renamed the "psexec" service name to "mstdc" to masquerade as a legitimate Windows service.[32]
FIN7 has created a scheduled task named "AdobeFlashSync" to establish persistence.[33]
Fox Kitten has named the task for a reverse proxy lpupdate to appear legitimate.[34]
During Frankenstein, the threat actors named a malicious scheduled task "WinUpdate" for persistence.[35]
FunnyDream has used a service named WSearch for execution.[36]
Fysbis has masqueraded as the rsyncd and dbus-inotifier services.[4]
GoldMax has impersonated systems management software to avoid detection.[37]
Green Lambert has created a new executable named Software Update Check to appear legitimate.[38][39]
Heyoka Backdoor has been named srvdll.dll to appear as a legitimate service.[40]
Higaisa named a shellcode loader binary svchast.exe to spoof the legitimate svchost.exe.[41][42]
Hildegard has disguised itself as a known Linux process.[43]
InnaputRAT variants have attempted to appear legitimate by adding a new service named OfficeUpdateService.[44]
InvisiMole has attempted to disguise itself by registering under a seemingly legitimate service name.[45]
IronNetInjector has been disguised as a legitimate service using the name PythonUpdateSrvc.[46]
KillDisk registers as a service under the Plug-And-Play Support name.[47]
Kimsuky has disguised services to appear as benign software or related to operating system functions.[48][49]
KONNI has pretended to be the xmlProv Network Provisioning service.[50]
KV Botnet Activity installation steps include first identifying, then stopping, any process containing [kworker\/0:1], then renaming its initial installation stage to this process name.[51]
Kwampirs establishes persistence by adding a new service with the display name "WMI Performance Adapter Extension" in an attempt to masquerade as a legitimate WMI service.[52]
Lazarus Group has used a scheduled task named SRCheck to mask the execution of a malicious .dll.[53]
Machete renamed task names to masquerade as legitimate Google Chrome, Java, Dropbox, Adobe Reader and Python tasks.[54]
Magic Hound has named a malicious script CacheTask.bat to mimic a legitimate task.[55]
Maze operators have created scheduled tasks masquerading as "Windows Update Security", "Windows Update Security Patches", and "Google Chrome Security Update" designed to launch the ransomware.[56]
Meteor has been disguised as the Windows Power Efficiency Diagnostics report tool.[57]
Naikon renamed a malicious service taskmgr to appear to be a legitimate version of Task Manager.[58]
Nebulae has created a service named "Windows Update Agent1" to appear legitimate.[58]
Nidiran can create a new service named msamger (Microsoft Security Accounts Manager), which mimics the legitimate Microsoft database by the same name.[59][60]
NightClub has created a service named WmdmPmSp to spoof a Windows Media service.[61]
Okrum can establish persistence by adding a new service NtmsSvc with the display name Removable Storage to masquerade as a legitimate Removable Storage Manager.[62]
OSX_OCEANLOTUS.D uses file naming conventions with associated executable locations to blend in with the macOS TimeMachine and OpenSSL services. Such as, naming a LaunchAgent plist file com.apple.openssl.plist which executes OSX_OCEANLOTUS.D from the user's ~/Library/OpenSSL/ folder upon user login.[63]
PingPull can mimic the names and descriptions of legitimate services such as iphlpsvc, IP Helper, and Onedrive to evade detection.[64]
In one instance, menuPass added PlugX as a service with a display name of "Corel Writing Tools Utility."[65]
POWERSTATS has created a scheduled task named "MicrosoftEdge" to establish persistence.[66]
PROMETHIUM has named services to appear legitimate.[67][68]
Qilin has created a scheduled task named TVInstallRestore to mimic TeamViewer. [69]
RainyDay has named services and scheduled tasks to appear benign including "ChromeCheck" and "googleupdate."[58]
Raspberry Robin will execute its payload prior to initializing command and control traffic by impersonating one of several legitimate program names such as dllhost.exe, regsvr32.exe, or rundll32.exe.[70]
New services created by RawPOS are made to appear like legitimate Windows services, with names such as "Windows Management Help Service", "Microsoft Support", and "Windows Advanced Task Manager".[71][72][73]
RDAT has used Windows Video Service as a name for malicious services.[74]
RedDelta Modified PlugX Infection Chain Operations
Mustang Panda masqueraded Registry run keys as legitimate-looking service names such as OneNote Update during RedDelta Modified PlugX Infection Chain Operations.[75]
RTM has named the scheduled task it creates "Windows Update".[76]
Seasalt has masqueraded as a service called "SaSaut" with a display name of "System Authorization Service" in an apparent attempt to masquerade as a legitimate service.[77]
Shamoon creates a new service named "ntssrv" that attempts to appear legitimate; the service's display name is "Microsoft Network Realtime Inspection Service" and its description is "Helps guard against time change attempts targeting known and newly discovered vulnerabilities in network time protocols." Newer versions create the "MaintenaceSrv" service, which misspells the word "maintenance."[3][78]
ShimRat can impersonate Windows services and antivirus products to avoid detection on compromised systems.[79]
SLOTHFULMEDIA has named a service it establishes on victim machines as "TaskFrame" to hide its malicious purpose.[80]
During the SolarWinds Compromise, APT29 named tasks \Microsoft\Windows\SoftwareProtectionPlatform\EventCacheManager in order to appear legitimate.[81]
Spica has created a scheduled task named CalendarChecker for persistence on compromised hosts.[82]
Storm-0501 has utilized Rclone masqueraded as svhost.exe and scvhost.exe.[83]
StrongPity has named services to appear legitimate.[67][68]
SUGARDUMP's scheduled task has been named MicrosoftInternetExplorerCrashRepoeterTaskMachineUA or MicrosoftEdgeCrashRepoeterTaskMachineUA, depending on the Windows OS version.[84]
SVCReady has named a task RecoveryExTask as part of its persistence activity.[85]
SysUpdate has named their unit configuration file similarly to other unit files residing in the same directory, /usr/lib/systemd/system/, to appear benign.[86]
Tarrask creates a scheduled task called "WinUpdate" to re-establish any dropped C2 connections.[87]
TinyTurla has mimicked an existing Windows service by being installed as Windows Time Service.[88]
TONESHELL has masqueraded as the legitimate Windows utility service DISMsrv (Dism Images Servicing Utility Service).[89]
To establish persistence, Truvasys adds a Registry Run key with a value "TaskMgr" in an attempt to masquerade as the legitimate Windows Task Manager.[90]
Turian can disguise as a legitimate service to blend into normal operations.[12]
UNC3886 has named a file ‘fgfm’ in an attempt to disguise it as the legitimate service ‘fgfmd’ which facilitates communication between FortiManager and the FortiGate firewall.[91]
Uroburos has registered a service named WerFaultSvc, likely to spoof the legitimate Windows error reporting service.[92]
VIRTUALPITA has utilized VMware service names and ports to masquerade as legitimate services.[93]
VOID MANTICORE has masqueraded as commonly used programs and services on Windows hosts.[94]
Some Volgmer variants add new services with display names generated by a list of hard-coded strings such as Application, Background, Security, and Windows, presumably as a way to masquerade as a legitimate service.[95][96]
Winter Vivern has distributed malicious scripts and executables mimicking virus scanners.[97]
Wizard Spider has used scheduled tasks to install TrickBot, using task names to appear legitimate such as WinDotNet, GoogleTask, or Sysnetsf.[98] It has also used common document file names for other malware binaries.[99]
ZIRCONIUM has created a run key named Dropbox Update Setup to mask a persistence mechanism for a malicious binary.[100]
ZxxZ has been disguised as a Windows security update service.[14]