These binaries retain their original metadata, but their altered names allow them to blend into the environment while performing malicious tasks like downloading additional payloads. “Microsoft Defender and other security solutions can leverage this metadata discrepancy as a detection signal, flagging instances where a file’s name does not match its embedded OriginalFileName,” the report added.
The researchers noted that even payload retrieval happens from legitimate hosting sources. Attackers host components on well-known cloud platforms, including AWS, Tencent Cloud, and Blackblaze B2. Use of these trusted tools, trusted infrastructure, and staged execution was flagged as a reason for this being a low-noise, reliable attack path.
MSI as the backdoor vehicle for persistence
The final stages of the campaign lead to persistence, using Microsoft Installer (MSI) packages as the delivery mechanism for backdoors.
