Virus Bulletin: Old malware never dies – it just gets more targeted

Putting a precision payload on top of more generic malware makes perfect sense for malware operators

Putting a precision payload on top of more generic malware makes perfect sense for malware operators

Virus Bulletin this year brought a fresh batch of amped-up, refreshed malware with lots more horsepower and devilish amounts of custom-tailored targeting. From singled-out political activist individual targets to regionalized targets, malware’s aim is getting better.

Putting a precision payload on top of more generic malware makes sense. Why forklift a whole new stack under your exploit when you can just replace the tip of the spear to best effect? For example, Lyceum seems like a redo after Talos and others got wise to previous operations. But much of the secret sauce came from threat actors just tacking on some interesting bits like turning the IP octets into four ASCII encoded commands for the C&C server, which is kind of cool.

For malware operators, there’s a certain deniability in using standard tools, which thwarts malware analysis efforts if much of the evidence is a mash-up of standard tools. How would you prove who did it with high confidence? This year we also saw plenty of “technical overlap” where shifts from prior POS hack malware to “big game hunting” ransomware basically follow the money with the smallest possible effort.

Another trend: Highly targeted, nation-state-flavored malware. Political activists in particular are a perennial target (thanks Amnesty International for insight following on from Netscout/Bitdefender work), with hackers tempting targets via malicious smartphone apps for families from the Stealjob/Knspy Donot team. When installed, the rogue app prompts for elevated Android access permissions, then records screen and keyboard input. Attackers tag team with email, and even try to get better at language localization to seem more legitimate (their French wasn’t very good in earlier attempts).

Another thing, PowerShell is the rather new darling for doing bad things on computer targets. Due to more extensive capabilities, it now can provide a host of functionality that can wreak havoc and provides a useful control panel for threat actors like file exfiltration, download of future payloads and interaction with C&C servers.

And if PowerShell is the new hotness on end-user computers, it’s just that much better on a Windows server. That’s almost game over for an affected server, and attackers have definitely noticed this year, crafting ever-more-powerful assaults against the platform.

Not to be outdone, we still have the perennial low-level target: UEFI. ESET researchers recently found a new entrant called ESPecter that alters the boot process via its ESP component, ramping up super-stealthy malware hiding spots that give security software fits.

How do you defend against these kinds of malware? Surprisingly, simple mistakes like spelling errors are still baked into the malicious exploits, like one that misspelled “backdoor” and then copied the misspelling to multiple files, thereby providing a strong thread of a clue.

Ironically, in most of the investigations highlighted, it’s striking how many pieces in the puzzle came together ultimately due to a “fortuitous discovery”: that means the researchers got lucky somewhere along the way. This may also mean finding something obvious posted on the public web that helps identify the malware authors by usernames still left on social media somewhere that clearly links to the operator identities. It’s funny, in the shadowy workings of the researcher’s palette, how often luck reigns.

Speaking of threat actors for hire, special mention goes to the name contest that must’ve been behind the “Operation Hangover” hacker-for-hire group, regardless of their level of success, which I suppose may be related in some way to the clues represented therein.

We’re looking forward to Virus Bulletin next year in Prague – we hope.

In the meantime, why not watch these talks by ESET experts?
Anatomy of native IIS malware (available also as a series of articles and a white paper on WeLiveSecurity)
Sandworm: reading the indictment between the lines (see also this research on WeLiveSecurity)
Security: the hidden cost of Android stalkerware (available also as an article and a white paper here on WeLiveSecurity)
“Fool Us!”, or is it “Us Fools!”? … 11 “Fools” years later…

Sign up to receive an email update whenever a new article is published in our Ukraine Crisis – Digital Security Resource Center