These binaries retain their authentic metadata, however their altered names permit them to mix into the atmosphere whereas performing malicious duties like downloading extra payloads. “Microsoft Defender and different security options can leverage this metadata discrepancy as a detection sign, flagging cases the place a file’s title doesn’t match its embedded OriginalFileName,” the report added.
The researchers famous that even payload retrieval occurs from legit internet hosting sources. Attackers host parts on well-known cloud platforms, together with AWS, Tencent Cloud, and Blackblaze B2. Use of those trusted instruments, trusted infrastructure, and staged execution was flagged as a purpose for this being a low-noise, dependable assault path.
MSI because the backdoor car for persistence
The ultimate levels of the marketing campaign result in persistence, utilizing Microsoft Installer (MSI) packages because the supply mechanism for backdoors.
