HP sees attackers combine simple methods to fool detection tools and deploy multi-language malware

new threat blog from HP Wolf Security’s threat research team has just gone online. The blog shows how opportunistic threat actors can use simple techniques and inexpensive cybercrime tools to bypass Windows security features and anti-virus scanners. HP Sure Click protects users from this type of attack, as it enabled HP to capture the malware trace. The blog also outlines HP’s analysis of the attack and describes mitigations for organizations that aren’t protected. In this case, threat actors used a mix of simple-but-effective and clever tricks to infect victim PCs with AsyncRAT, a remote access trojan that steals sensitive information:

  • The art of illusion: What’s in a name? By simply mislabelling unusual file types (such as batch files) as something more familiar (like a PDF), attackers can trick users into clicking on malicious attachments. This basic technique takes advantage of Windows hiding file extensions by default. i.e., if you save a batch (.bat) file as “hello.pdf.bat”, it will show up as “hello.pdf” in Windows File Explorer. While this technique is not new, we see it being used more frequently by commodity threat actors.
  • Ones and zeroes – Attackers are artificially inflating their malicious files by padding them with millions of meaningless ones and zeros. Some were almost 2GB in size, too large for many anti-malware scanners to analyze, allowing malware to slip past a critical detection measure. Because the inflated section follows a repeating pattern, the malware can be compressed into an archive file only a few megabytes large – ideal for spreading the malware in spam campaigns.
  • Here comes the clever part: multi-language malware – by using multiple programming languages, the threat actor evaded detection by encrypting the payload using a crypter written in Go, before disabling the anti-malware scanning features that would usually detect it. The attack then switches language to C++ to interact with the victim’s operating system and run the .NET malware in memory – leaving minimal traces on the PC.
    • In-memory execution of .NET files from C++ requires in-depth knowledge of undocumented Windows internals, but threat actors can access these techniques through tools sold in hacker forums. 

 The blog is here for your reading pleasure. 

Leave a Reply

%d bloggers like this: