By Marianne Bermejo, Malware Researcher, VIPRE Security Group
Researchers find that “hunter-killer” malware is on the rise, with cybersecurity professionals claiming that the majority of malware now employ stealth-oriented techniques.
This “stealthy” malware is essentially malicious software designed to evade detection while performing harmful activities on a system or network. It has evolved through advanced techniques like code obfuscation, polymorphism, and leveraging rootkits to remain undetected. This evolution reflects a cat-and-mouse game between cybercriminals and security professionals, where malware continuously adapts to bypass increasingly sophisticated detection mechanisms, demonstrating the dynamic and ever-challenging cybersecurity landscape.
How stealthy malware works
Stealthy malware is best illustrated by a recent, real-world example of TA577, a ransomware threat actor that silently distributes malware loaders such as Qakbot and Pikabot. Malicious hackers use TA577 for ‘Email Thread Hijacking’, a technique to take control and manipulate systems for malicious purposes.
The hackers make deceptive emails and appear as replies to previous legitimate conversations. Hackers use real, legitimate conservations impersonating a senior executive, making it difficult for people to know that their email conversation has turned malicious. “I forwarded the paperwork to you yesterday, could you access it? or “I approved the payment to XXX, has the transfer been executed?”. It’s a cunning technique to take advantage of how people think or act in their job roles.
These emails contain zipped HTML attachments or links. When opened, the malware infects recipients’ computers or steals their personal information. By hijacking a thread, attackers can execute arbitrary code, allowing them to evade detection and carry out their malicious activities discreetly. They gain unauthorised access to sensitive data within the victims’ system such as username, IP address, computer name, and domain name. Manipulating credential theft at the server level, they gain access to the organisation’s sensitive information, potentially compromising entire IT systems and infrastructure.
Recent real-world examples
The financial sector is a top target of cybercriminals for state-sponsored cyberespionage as well as for not only for monetary gain. The digital financial sector environment alongside the open-source software supply chain landscape is making financial operations highly penetrable.
Recently, cybercriminals unleashed a phishing campaign targeting financial institutions in the Middle East, Africa, the South and Southeast Asia – and Visa customers. The threat actors deployed the JsOutProx malware to potentially conduct fraudulent activity. Likewise not long ago, criminals used an almost impossible-to-detect Linux malware to target the Latin American financial sector with the sole aim of capturing credentials and enabling backdoor access to victims’ machines.
This category of stealthy malware swiftly develops and deploys new techniques. So, hackers continuously refine and experiment with new delivery approaches. For example, threat actors are sneakily using Android banking trojans to automate the theft of online funds from everyday users.
What can financial organisations do?
As attackers continuously refine their tactics, organisations need to remain vigilant and proactively implement robust security measures to defend against such threats.
To mitigate such attacks, check for typos or grammatical errors in the emails received. Sometimes hackers deliberately include language errors in emails to evade email filters. By intentionally distorting common words or phrases, attackers heighten the likelihood of their emails bypassing traditional security measures and successfully infiltrating recipients’ inboxes, thus increasing the efficacy of their malicious campaign.
Exercise caution by verifying the legitimacy of any unfamiliar source before clicking on links or downloading attachments, as a single lapse in judgment could compromise device security and lead to server-level breaches. Be sceptical of urgent requests and unexpected emails too.
Maintain up-to-date antivirus software. Financial firms handle sensitive customer data and large sums of money, so remain prime targets for cyber-attacks and malware infections. Reputable antivirus solutions frequently release updates to address newly discovered threats, so financial organisations must ensure their software is regularly updated to close security vulnerabilities. Up-to-date antivirus software is crucial for detecting and neutralising the latest viruses, trojans, and other malicious code that infiltrate systems and compromise sensitive information or even disrupt operations. Without robust antivirus protection, a single infected device on the network can act as an entry point for attackers.
Adopt measures to block outbound SMB (Server Message Block) traffic as a preventive measure against exploitation. SMB is a network communication protocol primarily used for providing shared access to files, printers, and other resources on a network. By restricting outbound SMB traffic, organisations significantly reduce their vulnerability and minimise the likelihood of unauthorised access to network resources.
No amount of technology will ever be sufficient to quell the onslaught of threat actors. Single, annual courses or classroom sessions are insufficient and ineffective. Financial organisations must have programmes in place to continuously raise awareness of new security threats and techniques that malicious hackers deploy.
Ultimately, due to the nature of cybercrime, cybersecurity is a shared responsibility between organisation and staff. By staying informed, adopting best practices, and exercising diligence in their online activities, employees play a critical role in safeguarding their organisation and indeed themselves.
