Well this is one way to ruin an IT Manager’s morning coffee, a new form of Malware has been discovered that wont be detected by standard antivirus.
An article published on the Register this morning details a rare form of malware that can steal data off a machine without installing any files. The malware is extremely difficult to detect as it will set up home within the computers registry, hence antivirus being unable to detect any suspicious looking files on an infected machine. Nice!
In a report Paul Rascagneres stated, “All activities are stored in the registry. No file is ever created. So, attackers are able to circumvent classic anti-malware file scan techniques with such an approach and are able to carry out any desired action when they reach the innermost layer of [a machine] even after a system re-boot. To prevent attacks like this, anti-virus solutions have to either catch the initial Word document before it is executed (if there is one), preferably before it reached the customer’s email inbox.”
Paul Rascagneres (@r00tbsd) has a reputation for ripping malware and bots to uncover and undermine black hat operations. Last year, Rascagneres won the Pwnie Award at Black Hat Las Vegas for tearing through the infrastructure of Chinese hacker group APT1.
The code has been spread, somewhat typically, through email. The mail, currently being sent under the guise of Canada Post and UPS tracking information, carries a Word Document containing the malicious code. Once opened, this then creates a hidden encoded autostart registry key, subsequently executing shellcode and a binary payload (this is the bit that allows any hacker access to a device).
Rascagneres added, “This trick prevents a lot of tools from processing this malicious entry at all and it could generate a lot of trouble for incident response teams during the analysis. The mechanism can be used to start any program on the infected system and this makes it very powerful.”