APT Alert: ‘Magic’ Malware Targets UK

Thursday, April 18, 2013 @ 03:04 PM gHale


A new “magic” malware is active, persistent and had remained undetected on targeted machines in the UK for the past 11 months.

Attackers targeted several thousands of different entities, most in the UK at 78 percent, while six percent were in Italy and four percent each in Germany and the United States, according to a report from Seculert’s Aviv Raff.

RELATED STORIES
243 Days to Discover Attack
New Wave: Risk-Based Security
Survey: Database Security too Complex
Stolen Corporate Data at Highest Levels

The sample Seculert flagged had an unusual behavior when it communicated with its command and control (C&C) server as it used a custom-made protocol, and always used “a magic code” at the beginning of the conversation, Raff said.

Raff said he did not know why the UK was the main target, but he did say this is a persistent attack that went under the radar for almost a year.

“Furthermore, this malware is still under development,” he said. “We have seen several indications of features that are not yet implemented, and functions that are not yet used by the malware.

“For instance, in case the attacker would like to open a browser on the victim’s machine, the malware will pop up on the RDP session for the attacker via a box with the message ‘TODO:Start browser!’ ”

Raff said the real intention of the attackers behind this “magic” malware is unknown.

“As the malware is capable of setting up a backdoor, stealing information and injecting HTML into the browser, we believe that the current phase of the attack is to monitor the activities of their targeted entities,” he said.

“But, because this malware is also capable of downloading and executing additional malicious files, this might be only the first phase of a much broader attack.”

Asked what he felt made this different from other advanced persistent threats (APTs), which also included a backdoor and data stealing capabilities, Raff said, “We suspect that this is only the first phase of the attack, and like previous ones, the next phase will include a wiper module to cover the attacker’s tracks.”



Leave a Reply

You must be logged in to post a comment.