If recent sophisticated cyber espionage against government agencies in the Middle East is any indication, cyber defenders will soon need to upgrade their malware detection capabilities.
Cybersecurity, as the saying goes, is a game of cat and mouse. As companies move to Linux and macOS, the attacker will follow. Attackers deliver malware in phishing attachments, so Microsoft blocks internet macros, so the attacker adjusts.as Cybersecurity tools will be strengthenedthe ways attackers get around it are becoming more creative and effective.
So in February, Kaspersky researchers discovered the threat actor. Spying on governments in the Middle East. By the time Kaspersky Lab arrived at the attack, it had recorded at least 30 infections against other organizations, mostly around the Middle East. Nevertheless, the campaign, dubbed “DuneQuixote,” remained hidden for at least a year, thanks in large part to its combination of classic and novel stealth techniques.
As experts are quick to point out, cyber attackers are becoming more stealthy across the board. Perhaps they are gaining the upper hand again?
“It's perfectly easy to create new malware that evades antimalware detection,” said David Brumley, a cybersecurity professor at Carnegie Mellon University and CEO of ForAllSecure. “Even 'advanced' behavioral analysis can be easily fooled with a few tricks, meaning malware that requires manual analysis to figure out what's really going on. And of course, with all the custom tricks, it becomes really difficult.
Dune Quixote and Spanish Poetry
The DuneQuixote campaign consists of two separate malware droppers and two separate payloads.
One dropper mimics the Total Commander software installer and packages legitimate software with its malicious contributions. Once on a target machine, it performs a series of anti-analysis checks, including checking for the presence of known security software on the device. If any of the checks fail, the malware returns a value of '1' with a coded meaning. When decrypting an attacker's command and control (C2) server address, a value of 1 removes the 'h' from 'https', the C2 URL starts with just 'ttps', and no connection is made. . It will be made at all.
The second DuneQuixote dropper is even smarter. Once executed, its first action is to make a series of application programming interface (API) calls that initially appear to have no real purpose. Instead, it contains a string containing an excerpt of a Spanish poem, which has a secret effect. Each instance of the dropper contains a different verse line, which can be earned with each instance. your own unique signature. This makes things difficult for simple detection solutions that rely on common signatures to identify new instances of known malware.
Like the first dropper, this second dropper also has a way to hide the infrastructure from analysts. This virus takes the malicious file name and his single line of Spanish poetry, combines them and runs them through the MD5 algorithm. The resulting hash acts as a key to decrypt the C2 address.
Regarding the payload: Two of the campaign's very simple backdoors make it easy to upload and download files, execute commands, and modify files.To avoid leaving footprints, each written directly to memory.
“Among new technologies, fileless malware [is worrying]“This form of malware significantly reduces its digital footprint, evades traditional antivirus solutions that scan for file-based signatures, and complicates post-breach analysis and forensics,” Critical Start's Cyber said Callie Guenther, Senior Manager of Threat Research. There are particular concerns about its stealth and effectiveness, making it a likely candidate for increasing prevalence. ”
How to thwart advanced stealth tactics
Besides in-memory malware, the “most notable thing” [stealth tactics] What I saw was a trick used in a supply chain attack where malicious code is mixed with legitimate code from an overarching application. It’s difficult to pinpoint,” says Sergei Roshkin, lead security researcher at Kaspersky Lab’s Global Research and Analysis Team.
As well as individual tricks, threat actors have learned how to adapt to their target's environment. It's amazing how various tools are dropped, at what point, under what conditions, and to the end. “At the highest level, you can't analyze what you don't have. Malware authors take advantage of this idea and incrementally introduce new components, perhaps only when given specific commands by the author. We don't download until those components are downloaded. We know what they're doing,” Brumley said.
“More than that,” he added, “the problem is not a single anti-analytics technique. The problem is the sheer number and ability to use them in combination. The malware author could potentially embed a “strange machine” on which the malware logic runs, and when you try to analyze it you'll see a strange machine instead of the malware logic itself. It might just be to encrypt and pack the components and decrypt them step by step. Additionally, some malware may be encrypted with a key that is part of the C2 command, but not included in the malware itself. Or it could be a mix of all of the above. ”
To counter the full range of stealth tactics and techniques at attackers' disposal, Guenther and Lozhkin are leveraging endpoint detection and response (EDR), behavioral analytics and anomaly detection technologies, and a broader zero-trust approach to system access. We recommend layered security.
Brumley is less optimistic. “Throughout the ages, people have suggested only whitelisting, which means tightly locking down a machine and only installing approved apps (or apps from approved vendors that are signed). At least, Apple is most famous for taking this approach: a walled garden approach to mobile,'' he says.
“More than that, this is a place where attackers have an asymmetric advantage,” Brumley added. “Therefore, little effort is put into malware analysis and more emphasis is placed on good hygiene to limit what gets installed.”
