Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed.One variant is for an executable to be placed in a commonly trusted directory or given the name of a legitimate, trusted program. Alternatively, the filename given may be a close approximation of legitimate programs. This is done to bypass tools that trust executables by relying on file name or path, as well as to deceive defenders and system administrators into thinking a file is benign by associating the name with something that is thought to be legitimate.
In another variation of this technique, an adversary may use a renamed copy of a legitimate utility, such as rundll32.exe. (Citation: Endgame Masquerade Ball) An alternative case occurs when a legitimate utility is moved to a different directory and also renamed to avoid detections based on system utilities executing from non-standard paths. (Citation: F-Secure CozyDuke)
An example of abuse of trusted locations in Windows would be the
C:\Windows\System32directory. Examples of trusted binary names that can be given to malicious binares include "explorer.exe" and "svchost.exe".Another variation of this technique includes malicious binaries changing the name of their running process to that of a trusted or benign process, after they have been launched as opposed to before. (Citation: Remaiten)
An example of abuse of trusted locations in Linux would be the
/bindirectory. Examples of trusted binary names that can be given to malicious binares include "rsyncd" and "dbus-inotifier". (Citation: Fysbis Palo Alto Analysis) (Citation: Fysbis Dr Web Analysis)
Copies cmd.exe, renames it, and launches it to masquerade as an instance of lsass.exe.
Supported Platforms: Windows
cmd.exe /c copy %SystemRoot%\System32\cmd.exe %SystemRoot%\Temp\lsass.exe
cmd.exe /c %SystemRoot%\Temp\lsass.exe
Copies sh process, renames it as crond, and executes it to masquerade as the cron daemon.
Supported Platforms: Linux
cp /bin/sh /tmp/crond
/tmp/crond