Moving Target Defense Blog

Fileless malware is a type of a malicious code execution technique that operates completely within process memory; no files are dropped onto the disk. Without any artifacts on the hard drive to detect, these attacks easily evade most security solutions.

July has been a busy month for the distributors of GandCrab ransomware. After about two months with no major update, the cybercrime gang behind GandCrab released version 4, and a few days later, version 4.1. The primary delivery method is via compromised WordPress websites, which have been hijacked to include fake crack application pages, which in turn redirect to the GandCrab executable. Other distribution methods are Exploit Kits (EK) and malicious email campaigns.

A new highly sophisticated botnet incorporating numerous malicious, evasive techniques is quickly spreading its tentacles. Dubbed MyloBot, the botnet uses an usually complex chain attack and combines multiple anti-analysis techniques to make it more difficult to detect the payload and harder to analyze by security researchers. Initial research published by Deep Instinct points out that everything on the victim’s end takes place in memory, while the main business logic of the botnet is executed in an external process using code injection. This makes it even harder to detect and trace.

On the 12th of April, Morphisec, identified and prevented a major wave of malspam purporting to be from HSBC Bank. The phishing campaign targeted several industrial manufacturing and service enterprises in Asia, using standard but still often effective social engineering tactics. The malicious email delivered a sophisticated info-stealing trojan via a weaponized ISO attachment. ISO files are a type of image archive format used for optical disk images, which can be opened using WinRAR and other programs.

These days, most malware employs a long attack chain with anti-analysis techniques to make it more difficult to detect the payload and harder to analyze by security researchers. More and more frequently, they are also incorporating coin miners in attacks. Such is the case with a newly observed variant of the Dofoil (also known as Smoke Loader) coin miner trojan, which includes a resource-draining cryptocurrency-mining payload. This latest Dofoil strain entered the scene earlier this month and is currently still active.

GandCrab Ransomware

Here is a look at GandCrab ransomware and some techniques it uses to evade detection and analysis. These days, most malware employs long chain attack and anti-analysis techniques to make it more difficult to detect the payload and harder to analyze by security researchers. Such is the case with GandCrab, a new ransomware strain that entered the scene late last month and is currently active.

Towards the end of 2017, a group of researchers at Embedi discovered a Microsoft Office vulnerability that’s been quietly putting systems in danger for about 17 years.

RokRAT is a sophisticated Remote Access Trojan (RAT) that is skilled at evading detection and uses multiple techniques to make analysis difficult. The current RokRAT campaign was identified by Cisco Talos in November. The earliest known RokRAT campaign occured in April, although this used a less evasive malware variant. 

Ransomware remained a major cybersecurity threat in 2017, leaving a trail of victims across all industries, company sizes and geographical borders. Phishing emails are the top ransomware delivery mechanism and they grow in number and sophistication daily. According to IBM, the number of ransomware-infected emails increased 6,000% this year. And the days of easily spotted spelling mistakes and obvious scams are long gone. Today’s phishing attacks are clever and subtle enough to trick even security veterans. 

Packer-based malware is malware which is modified in the runtime memory using different and sophisticated compression techniques. Such malware is hard to detect by known malware scanners and anti-virus solutions. In addition, it is a cheap way for hackers to recreate new signatures for the same malware on the fly simply by changing the encryption/packing method. Packers themselves are not malware; attackers use this tactic to obfuscate the code’s real intention.