Attackers don't have to "reinvent the wheel" to evade detection, bypass security solutions and get the better of their targets. Rather, as attackers continue to demonstrate, the effectiveness of malware strains can be maintained through small tweaks and manipulations to their appearance. By leveraging established attacks in this way, malicious actors can consistently and efficiently modify attacks in order to stay one step ahead of their targets’ security solutions with minimal cost. Polymorphic malware strains like Emotet have even been designed to autonomously modify their appearance to evade a wide variety of signature-based security solutions.
The widespread application of security solutions like this, which rely on past experiences to identify threats, do little to combat the dynamic and adaptive techniques of bad actors. The following examples demonstrate how attackers applying small tweaks continue to succeed and profit by staying one step ahead of their targets.
GandCrab is a trojan horse that encrypts files on a targeted user’s computer and demands a form of payment to decrypt them. Primarily, the creators used scam and phishing emails to transmit and infect a victim’s system with the ransomware.
However, rather than being predictable and schematic, the attackers have remained active in adapting their techniques to avoid detection, bypass security solutions and dupe their victims into inadvertently installing ransomware onto their systems via malicious links and documents.
Between the end of January and September last year, the actors behind GandCrab issued five major updates to the attack strain among numerous other bug-fixes and tweaks. This developmental and agile approach has allowed them to stay one step ahead of their targets and profit on a consistent basis.
In February for instance, a tripartite comprised of Bitfender, the Romanian police force and Europol confiscated command-and-control (C&C) servers and shared a decryption tool – named NoMoreRansom - for those effected by GandCrab v1. A matter of days later, GandCrab v2 was released with an updated extension, note name and TOR domain and with it, regained ascendancy for attackers over their victims.
Updates to GandCrab have not only enabled attackers to stay one step ahead; they have distinctly heightened their capacity to cause damage and extort money. Updates that come with GandCrab v5 for example, enables privilege escalation. In this instance, this means that adversaries can exploit certain zero-day vulnerabilities to increase the privileges once installed on a victim’s computer.
2. Vidar and GandCrab
More recently, malicious actors have started using a hybridised attack vector, which combines the damaging effects of GandCrab ransomware with Vidar Stealer malware.
Vidar is an InfoStealer trojan that scams victims by tricking them into clicking on a rogue advert domain, which appears under the guise of a legitimate company. Once a user has clicked on the malicious domain, their system becomes infected with the malware and an array of proprietary information is made available to the attacker, including instant messages and credit card details.
In contrast to its predecessor, Arkei, Vidar switches C&C server every four days, which makes it even more elusive to those authorities trying to pin down the location of the operational nerve centre.
This increased agility allows attackers to evade detection and operate more confidently, freely and effectively as a result. By bolting GandCrab on to the back of Vidar attacks, they optimise their ability to make profit and cause damage to their victims.
3. HawkEye Keylogger Trojan
HawkEye is another InfoStealer trojan, which is sold as a malware-as-a-service (MaaS). Since it first emerged in the wild several years ago, its creators have persistently tweaked and refined it to increase both their customers profits, and their own.
Following a two-year period of inactivity, a new version surfaced in April last year in the form of HawkEye Keylogger – Reborn v8. At the time of release, this iteration included additional features that enabled it to evade detection, bypass most security solutions and steal victim credentials.
Despite this hiatus, and the advancements that proceeded it, HawkEye’s core genetic make-up remained intact: persistence mechanism, .NET payload, penetration through documents, creating and injecting to VBC.exe and more.
Therefore, with a few small tweaks, HawkEye and its users were able to re-emerge on the MaaS market with a familiar yet stronger and more elusive attack vector. Its subsequent success suggests that its targets were not able to adapt and modernise with the same proficiency.
More recently, a new version of Emotet malware surfaced following a short period of stasis and inactivity. This marked the introduction of yet another iteration in a series of modifications that started back in 2014.
Emotet first emerged as an infostealing trojan programmed to steal financial credentials and proprietary data. By learning from experience, it has been continually improved and increased in effectiveness and popularity as a result.
This most recent variant has developed a new capability that allows it to fly under the radar and bypass common security filters. In addition to a previous update, which enables the malicious actor to take control of email accounts and send seemingly legitimate emails to dupe the recipient into opening malicious files, Emotet malware is becoming progressively potent, destructive and costly to both organisations and individual users.
Attackers are able to modify their techniques at such a rate that it is not feasible for organisations or individual users to predict what they are going to do next. Nor should they try to. However, it is imperative that these malicious actors, their innovation and profiteering are combatted. To do so, organisations must adapt and evolve themselves, by embracing and implementing a new kind of security solution.
The only real means of protecting against a mutable attack vectors is to implement a solution that specialises in detecting content-borne attacks by analysing the CPU while the file is open and detecting any kind of alien code embedded in the malicious file. By doing so, organisations can continue to detect and block malicious code and links, no matter what kind of malicious code is embedded in them, what this code is designed to do, and how it changes and develops over time. It’s been proven that such an approach detects and blocks more than 10 times more threats than traditional cybersecurity solutions, providing comprehensive protection irrespective of whether an attack looks 'new' or is 'unknown'.
Liron Barak, CEO and co-founder, BitDam
Image source: Shutterstock/lolloj