Malware misinformation

Documenting misinformation in the infosecurity space, focusing particularly on malware analysis and forensics.

Created by @maldr0id

View the Project on GitHub maldroid/misinformation.tech

Claim ID: 00004

The following claim is often repeated in analysis critical of forensic reports:

a name of a process similar to a legitimate process name means it’s not malware

The claim is considered: :x: FALSE :x:

Why is it false?

Malware proceses frequently use a misspelling of a benign process name in order to masquarade its activities1. This is particurarly true when it comes to Pegasus2. Just the fact that the process name or a file name is similar, but not the same as a legitimate process name or file name does not make it benign.

Statement sources

The websites below repeat the claim. This is not a full list of websites.

Campaigns

The misinfomartion campaigns below have used this claim.

Footnotes

  1. MITRE ATT&CK: Masquerading: Match Legitimate Name or Location 

  2. Forensic Methodology Report: How to catch NSO Group’s Pegasus