version-info-masquerade
Malware alters the VS_VERSIONINFO resource block to claim a legitimate company name, product name, and file description. Windows Explorer, task managers, and AV reputation engines display this metadata instead of the true origin. The fields CompanyName, ProductName, FileDescription, OriginalFileName, and LegalCopyright are padded with spaces or set to well-known vendor strings (Intel, NVIDIA, Microsoft) to evade user suspicion and reputation-based filtering.
Fingerprint
OriginalFileNameis blank spaces (attempt to hide true filename)LegalCopyrightis blank spaces (attempt to dodge copyright-check heuristics)CompanyName/ProductNamematch known hardware/software vendors but the binary is unsigned or signed with a fraudulent cert- Icon resource mimics the claimed vendor's branding
Reproduce
Use Resource Hacker or a custom PE editor to modify the VERSIONINFO block in any PE. Set CompanyName to Intel Corporation, FileDescription to Intel Graphics Driver Setup, and compile. Windows will display the masquerade in Properties → Details.
Pages where observed
- netsupport-inno-dropper — Intel Graphics Driver masquerade
- hippamsascom — "JBOD monitor" by Emard LLC masquerade (0c9e772d), "wireless sensor" by Littel LLC masquerade (9a3c18be)
- sunwukong — "Erdman Group" / 1080p protocol masquerade