New Malware Stays Hidden

Monday, February 2, 2015 @ 06:02 PM gHale

A new piece of malware uses legitimate websites and services in an effort to disguise its malicious activities, researchers said.

The threat has a name of “f0xy” because it’s cunning like a fox and because this particular string has been in its executables and the registries it creates for persistence, said researchers at Websense.

RELATED STORIES
Malware Couples with Backdoor Trojan
Botnets Continue their Rise
IBM Patches Mobile Offering
New Trojan for iOS

The earliest samples identified by researchers date back to January 13, 2015, but the malware has been enhanced by its creators since. Initial variants only worked on Windows Vista and later versions of Microsoft’s operating system, but newer variants also work on Windows XP, Websense said.

The initial dropper ended up detected by only 5 of the antivirus engines on VirusTotal when Websense analyzed it. The detection rate has increased since, but it’s still fairly low.

The developers of f0xy chose not to obfuscate the malware’s code, most likely in an effort to make it look more legitimate and avoid raising suspicion, Websense researchers said.

Another method used to hide the presence of the threat involves the Russian social media website Vkontakte. The malware contains an encoded string that hides a URL pointing to a certain Vkontakte profile. An encoded string posted on the said profile as a comment contains the URL for the command and control (C&C) server used by the malware.

Once the f0xy downloader finds itself on a computer, it leverages the Microsoft Background Intelligent Transfer Service (BITS) to download its payload. BITS transfers files between a client and a server using idle network bandwidth. The component ends up leveraged by services like Windows Defender and Windows Update.

“Presumably the main reason for using BITS is to prevent security products from flagging its behavior as suspicious, because anti-malware solutions are much less likely to have a problem with bitsadmin.exe performing network requests than an unknown executable,” Websense researcher Nick Griffin said in a blog.

In this case, the malware calls the bitsadmin executable directly to specify the parameters for the file transfer (source and destination of the file). However, experts pointed out the transfer can end up even stealthier by interacting with BITS through the Component Object Model (COM) interface.

The payload spotted by Websense is a 64-bit version of CPUMiner, an open source cryptocurrency mining application. The attackers use the CoinMine.pw mining pool to ensure all the virtual currency mined by the infected machines go to them.

“It is clear that financial motivations remain at the forefront of cybercriminal minds, with the anonymity of cryptocurrency providing a somewhat safer route for collecting the spoils,” Griffin said. “We also expect to see a continuing growth of malware authors migrating to legitimate and reputable websites, to hide their malicious activities, and we expect plenty more evasion tactics adopted as authors continue to subvert security products.”



Leave a Reply

You must be logged in to post a comment.