Moving Target Defense Blog

The term “new normal” means different things to different people. For some, the term is synonymous with a return to the office (just with a few tweaks), while others think that co-located teams are gone for good. The reality is probably somewhere in between. Household names like Google and Facebook are planning for a future where most of their employees work remotely most of the time. And where big tech goes, other organizations tend to follow.

In the ongoing war over cybersecurity, endpoints seemed like settled territory. After years of surrounding these vulnerable vectors with defensive technologies and company-wide IT hygiene best practices, it became easy to assume the endpoints were ironclad. Unfortunately, the latest generation of emerging threats handily circumvents and, in many cases, obliterates existing endpoint security defenses.

Remote work is no longer limited to outside sales reps traveling across the country. Today, the remote employee movement has reached into practically every industry. So much so, in fact, that according to Owl Labs, 54 percent of people work remotely at least once per month, 48 percent work remotely at least once per week, and 30 percent work remotely full-time. This marks a substantial change from only a decade ago, when the only people working remotely were often contractors or sales reps.

Organizations in every industry and at every level of government face more cyberattacks each day. According to Ponemon Institute’s recent research, 68 percent of organizations note an increased frequency of attacks against their endpoints. Often, these threats are zero days, fileless attacks, in-memory exploits, and evasive malware designed to circumvent antivirus and endpoint detection and response solutions.

Protecting your organization from advanced threats has always been difficult. Adversaries innovate constantly, changing their attack vectors and finding new ways to infiltrate their target environment. The Trickbot trojan is one of the best examples; its authors have used news coverage from President Trump’s impeachment trial and the WSReset UAC Bypass among other changes to push the trojan past antivirus and malware scanners.

Antivirus protection is a baseline cost of doing business for the modern organization. At first, companies and governments only needed signature-based antivirus that tracked known malware. As fileless malware and exploits accelerated, next-gen antivirus that leveraged AI and behavioral analysis came on the scene to respond.

In this blog, we will present some findings on how NanoCore RAT 1.2.2.0 is actively being delivered in new and different ways that we discovered at Morphisec Labs in the last couple of months. Specifically, we will focus on the sophisticated fileless methods for delivering the RAT without touching the disk.

In August of 2019, just a month after our publication on a targeted BitPaymer/IEncrypt campaign, Morphisec identified a new and alarming evasion technique that the same adversaries adopted while targeting yet another enterprise in the automotive industry.

With summer waning, kids back in school, and year-end quotas looming, we’re coming up to the busiest business travel season of the year. From September through November, business travelers log more trips than any other period. Most organizations take pains to keep their road warriors comfortable and protected from travel hazards, but what about the many lurking cyber hazards risks?

This week, headlines blew up with warnings of a design flaw in the CTF subsystem (msctf) of the Windows Text Services Framework that affects all current Windows systems and those going back as far as twenty years.