Story image

Attackers upping the ante on evasion and anti-analysis - Fortinet

12 Aug 2019
Twitter
Facebook

Upping the ante on evasion tactics

Many modern malware tools already incorporate features for evading antivirus or other threat detection measures, but cyber-adversaries are becoming more sophisticated in their obfuscation and anti-analysis practices to avoid detection.

For example, a spam campaign demonstrates how adversaries are using and tweaking these techniques against defenders.

The campaign involves the use of a phishing email with an attachment that turned out to be a weaponised Excel document with a malicious macro.

The macro has attributes designed to disable security tools, execute commands arbitrarily, cause memory problems, and ensure that it only runs on Japanese systems.

One property that it looks for in particular, an xlDate variable, seems to be undocumented.

Another example involves a variant of the Dridex banking trojan which changes the names and hashes of files each time the victim logs in, making it difficult to spot the malware on infected host systems.

The growing use of anti-analysis and broader evasion tactics is a reminder of the need for multi-layered defences and behaviour-based threat detection.

Under the radar attacks aim for the long-haul  

The Zegost infostealer malware, is the cornerstone of a spear-phishing campaign and contains intriguing techniques.

Like other infostealers, the main objective of Zegost is to gather information about the victim’s device and exfiltrate it.

Yet, when compared to other infostealers, Zegost is uniquely configured to stay under the radar.

For example, Zegost includes functionality designed to clear event logs.

This type of cleanup is not seen in typical malware.

Another interesting development in Zegost’s evasion capabilities is a command that kept the infostealer “in stasis” until after February 14, 2019, after which it began its infection routine.

The threat actors behind Zegost utilise an arsenal of exploits to ensure they establish and maintain a connection to targeted victims, making it far more of a long term threat compared to its contemporaries. 

Ransomware continues to trend to more targeted attacks

The attacks on multiple cities, local governments, and education systems serve as a reminder that ransomware is not going away, but instead continues to pose a serious threat for many organisations going forward.

Ransomware attacks continue to move away from mass-volume, opportunistic attacks to more targeted attacks on organisations, which are perceived as having either the ability or the incentive to pay ransoms.

In some instances, cybercriminals have conducted considerable reconnaissance before deploying their ransomware on carefully selected systems to maximise opportunity.

For example, RobbinHood ransomware is designed to attack an organisation's network infrastructure and is capable of disabling Windows services that prevent data encryption and to disconnect from shared drives.

Another newer ransomware called Sodinokibi, could become another threat for organisations. Functionally, it is not very different from a majority of ransomware tools in the wild. 

It is troublesome because of the attack vector, which exploits a newer vulnerability that allows for arbitrary code execution and does not need any user interaction like other ransomware being delivered by phishing email.

Regardless of the vector, ransomware continues to pose a serious threat for organisations going forward, serving as a reminder of the importance of prioritizing patching and infosecurity awareness education.

In addition, Remote Desktop Protocol (RDP) vulnerabilities, such as BlueKeep are a warning that remote access services can be opportunities for cybercriminals and that they can also be used as an attack vector to spread ransomware.

New opportunities in the digital attack surface

Between the home printer and critical infrastructure is a growing line of control systems for residential and small business use.

These smart systems garner comparably less attention from attackers than their industrial counterparts, but that may be changing based on increased activity observed targeting these control devices such as environmental controls, security cameras, and safety systems.

A signature related to building management solutions was found to be triggered in 1% of organisations, which may not seem like much, but it is higher than typically seen for ICS or SCADA products.  

Cybercriminals are searching for new opportunities to commandeer control devices in homes and businesses.

Sometimes these types of devices are not as prioritised as others or are outside the scope of traditional IT management.

The security of smart residential and small business systems deserves elevated attention especially since access could have serious safety ramifications.

This is especially relevant for remote work environments where secure access is important.

Story image
12 Aug
'Wealth economy' key to measuring economic growth – University of Cambridge
Current economic indicators such as the GDP are inadequate for effective economic policymaking, a new study from the Bennett Institute for Public Policy at the University of Cambridge claims.More
Story image
06 Aug
Top four consolidate leadership in cloud services market
AWS, Microsoft, Google and Alibaba continue their dominance in worldwide cloud infrastructure services market.More
Story image
07 Aug
On the shoulders of open source, cloud stands tall – BlackLine
Open source changed software development, but its impact could pale in comparison to the public cloud, writes Pete Hirsch.More
Story image
20 Aug
Sophos report reveals barriers to cybersecurity preparedness in APJ
85% of APJ organisations believe the biggest challenge to their security in the next 24 months will be improving cybersecurity awareness and education among employees and leadership.More
Story image
19 Aug
Microsoft and Jio sign 10-year partnership with sights set on India
The pair have committed to a 10 year partnership that will see different capabilities of both companies combine to offer a set of solutions encompassing connectivity, computing, storage solutions, and other technology services and applications.More
Story image
30 Jul
Star Alliance and NEC Corp sign partnership on biometric data recognition technology
The aim is to allow passengers to pass through curb-to-gate touchpoints within airports, such as check-in kiosks, bag-drop, lounges, and boarding gates with identity solutions.More