Undetected for a year: "Magic Malware" has been spying on "thousands" of UK companies

A covert strand of malicious software has been mining data from “thousands” of UK organisations for almost a year claims Israeli security firm Seculert, which has today revealed its findings on the threat.

The “magic malware”, as it has been dubbed, has been active on machines across Europe and the US for the past 11 months, and worryingly for IT managers, it is still thought to be active and even under further development from its creators.

The multi-faceted nature of the attack vector has made it difficult to identify the specific intention of the perpetrators. As the malware is capable of setting up backdoors, stealing data, and injecting HTML into a the browser, Seculert believes spying on the activity of its targets could be the main purpose of the attacks, “but because this malware is also capable of downloading and executing additional malicious files, this might be only the first phase of a much broader attack,” the company warns.

The threat has been labelled ‘magic malware’ due to it unusual methods of communication. As Seculert explains, the C2 server [initiated in communication] told the malware to start communicating with the same IP address and port. But from then on, instead of using the HTTP protocol, the malware had to communicate with the C2 server using a custom-made protocol, and always using a magic code at the beginning of the conversation.”

This method has helped keep the malware beneath security radars for almost a year, affording it the time to infiltrate organisations far and wide. Seculert’s Aviv Raff told ITProPortal that the attackers “were successful in targeting thousands of entities, mostly located in the UK, in the past 11 months,” adding that his team had seen “several industries being targeted - including finance, education and telecom.”

The financial implications and levels of data breach have not yet been uncovered, with Raff saying researchers were “still investigating the actual scale of the damage.”

A chart (right) produced in Seculert's report indicates the extent to which the UK has borne the brunt of the magic malware's infection, having hosted 78 per cent of the attacks detected. The other nations most affected have been Italy, Germany and the US.