Cybersecurity is like a game of cat and mouse. The defender must hunt an attacker that keeps obscuring itself in diverse ways and different places. One of these methods is masquerading, which hides an attack vector in plain sight by pretending to be something that you trust.
Masquerading is one of the oldest techniques in malevolent coding and is typically used to disguise malicious executables as trusted file types. Threat actors often attach these to phishing emails, such as the TXT file that was actually a VBS script in the famous case of the ILOVEYOU virus. The BlackBerry Threat Research and Intelligence Team explains that masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. The results can be deployment of a ransomware or spyware payload, with potentially expensive and damaging consequences.
“We urge all organizations to be aware of these attackers’ behaviors,” said Ismael Valenzuela, Vice President of Threat Research and Intelligence at BlackBerry. “The top alerts in all regions are simple things like the Certutil application and Exfiltration Station,” adds Natalia Ciapponi, BlackBerry Threat Emulation Lead. “There are simple things that are being used, which is why it's so important that we start building strategies to effectively detect and prevent this.”
This blog will explore what masquerading is, how it functions, and what mitigations can be put in place to combat it.
Understanding Masquerading Attacks
As detailed in our latest BlackBerry Global Threat Intelligence Report, masquerading (MITRE ATT&CK® Technique T1036) is a sophisticated cyberthreat tactic employed by attackers to disguise their activities and evade detection. For instance, when threat actors use a false name, icon, and metadata, they can easily disguise harmful actions as standard system operations.
Masquerading as a legitimate file or process can trick users and security software into opening or saving a malicious file, which can lead to system penetration and data loss.
Here is a breakdown of common masquerading methods:
Renaming Executables: Attackers often rename malicious executables to pretend they are a legitimate system program (e.g., svchost.exe, explorer.exe) and may change or add another fake extension to hide the real file type, such as .txt, .doc, .exe or .config. The goal is to trick users and security tools when running manual or automatic system checks, so the user will run or try to open the malicious file without heeding any system warnings.
Mimicking File Paths: In a commonly trusted directory (e.g.: System32), there is less observation and detection from security tools. For that reason, attackers often place malicious files in these directories and give them legitimate process names to conceal them.
Invalid Code Signature: Attackers may sign their malware with invalid or stolen digital certificates to bypass security measures. This misleads systems and users into trusting malicious files or processes by making them appear as if they are verified by a legitimate source. For example, to masquerade cmd.exe as a calculator app: Copy c:\windows\system32\cmd.exe C:\calc.exe. Attackers may use expired, revoked or fraudulently obtained certificates. Identifying such tactics requires robust certificate validation processes and alert systems that can flag unusual certificate data or failed validations.
