Kaspersky Threats — Hoax.Win32.ArchSMS.lxaj

Kategorie: Hoax

Eine Falschmeldung ist eine gefälschte Warnung vor einem Virus oder anderem bösartigen Code. In der Regel hat ein Hoax die Form einer E-Mail-Nachricht, die den Leser vor einem gefährlichen neuen Virus warnt und vorschlägt, dass der Leser die Nachricht weitergibt. Hoaxes verursachen an sich keinen Schaden, aber ihre Verteilung durch wohlmeinende Benutzer verursacht oft Angst und Unsicherheit.

Die meisten Antivirus-Anbieter enthalten auf ihren Websites Hoax-Informationen und es ist immer ratsam, vor der Weiterleitung Warnmeldungen zu überprüfen.

Mehr Informationen

Plattform: Win32

Win32 ist eine API auf Windows NT-basierten Betriebssystemen (Windows XP, Windows 7 usw.), die die Ausführung von 32-Bit-Anwendungen unterstützt. Eine der am weitesten verbreiteten Programmierplattformen der Welt.

Familie: Hoax.Win32.ArchSMS

No family description

Examples

A4D5A4EF0E394D0863B18029CEC982CE
AA720656E24431DB6096E1E8BE1EF9D6
CD6C8AB049053CD17AADE7E0150660B8
C293B87679D7533E1F315FD984504FC0
AB2497E153D31DD7679BEB842F76D208

Tactics and Techniques: Mitre*

TA0005

Defense Evasion

The adversary is trying to avoid being detected.

Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.

T1036.007

Masquerading: Double File Extension

Adversaries may abuse a double extension in the filename as a means of masquerading the true file type. A file name may include a secondary file type extension that may cause only the first extension to be displayed (ex: File.txt.exe may render in some views as just File.txt). However, the second extension is the true file type that determines how the file is opened and executed. The real file extension may be hidden by the operating system in the file browser (ex: explorer.exe), as well as in any software configured using or similar to the system’s policies.(Citation: PCMag DoubleExtension)(Citation: SOCPrime DoubleExtension)

Adversaries may abuse double extensions to attempt to conceal dangerous file types of payloads. A very common usage involves tricking a user into opening what they think is a benign file type but is actually executable code. Such files often pose as email attachments and allow an adversary to gain Initial Access into a user’s system via Spearphishing Attachment then User Execution. For example, an executable file attachment named Evil.txt.exe may display as Evil.txt to a user. The user may then view it as a benign text file and open it, inadvertently executing the hidden malware.(Citation: SOCPrime DoubleExtension)

Common file types, such as text files (.txt, .doc, etc.) and image files (.jpg, .gif, etc.) are typically used as the first extension to appear benign. Executable extensions commonly regarded as dangerous, such as .exe, .lnk, .hta, and .scr, often appear as the second extension and true file type.

T1036.008

Masquerade File Type

Adversaries may masquerade malicious payloads as legitimate files through changes to the payload's formatting, including the file’s signature, extension, and contents. Various file types have a typical standard format, including how they are encoded and organized. For example, a file’s signature (also known as header or magic bytes) is the beginning bytes of a file and is often used to identify the file’s type. For example, the header of a JPEG file, is 0xFF 0xD8 and the file extension is either `.JPE`, `.JPEG` or `.JPG`.