Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

Malware Developers Refresh Their Attack Tools

Cisco analyzes the latest version of the LokiBot malware for stealing credentials, finding that its developers have added more misdirection and anti-analysis features.

The developers of attack tools continue to make headway in hobbling defenders from detecting and analyzing their malware, creating more complex infection chains to stymy defenses, an analysis by the Cisco Talos research team stated this week.

The researchers analyzed the latest attack techniques associated with an information-stealing campaign, known as LokiBit, and found that its developers have added a third stage to its process of compromising systems — along with more encryption — as a way to escape detection. The attacks also use a variety of other attack techniques, such as socially engineering users to enable macros on Microsoft Office, using images to hide code, and widespread encryption of resources.

Related Content:

Microsoft: Ransomware & Nation-State Attacks Rise, Get More Sophisticated

How Data Breaches Affect the Enterprise

New From The Edge: How the Shady Zero-Day Sales Game Is Evolving

While attackers will do the minimum necessary to successfully compromise systems, they need to do more because defenders are getting better, says Holger Unterbrink, a threat researcher with Cisco Talos.

"Operating systems got much more secure than they were a few years ago, [so] attackers need to adapt," he says. "Malware is a business [and so they have to build] malware which is good enough to bypass security measures on a reasonable number of devices."

The LokiBot malware is not alone in its growing sophistication to prevent analysis and detection. In October, Facebook revealed that adware used session cookies, geolocation spoofing, and changing of security settings to keep persistence on its platform, resulting in charges of more than $4 million. In general, attackers are more likely to use the one-off Web addresses to fool blocklists, focus on reconnaissance of targeted networks, and use credential harvesting to gain access, according to Microsoft's "Digital Defense Report," published in September.

The attack trends underscore that a multilayered approach to defenses is necessary to detect these attacks. While adversaries may manage to bypass one or more security measures, more potential points of detection will mean a greater chance of detecting intrusions before they become breaches.

"Attackers will do what works," Unterbrink says. "If we would prepare ourselves for a certain new bypass technique, they would just use a different one. It is more important to track, find, and detect new techniques used in the wild as soon as possible."

In total, the LokiBot dropper uses three stages, each with a layer of encryption, to attempt to hide the eventual source of code. The LokiBot example shows that threat actors are adopting more complex infection chains and using more sophisticated techniques to install their code and compromise systems. 

Distributing malicious actions over a number of stages is a good way to hide, says Unterbrink.

"Due to increased operation system security and endpoint and network protection, malware needs to distribute the malicious infection stages over different techniques," he says. "In some cases, multiple stages are also necessary because of a complex commercial malware distribution system used by the adversaries to sell their malware in the underground as a service."

Phishing attacks conducted through an online cybercrime service, for example, may limit how much an attacker can do in that first stage. 

The increase in sophistication of the attack tools does not necessarily mean that attackers are becoming more sophisticated as well. A variety of cybercrimes services are available to allow even unskilled attackers to conduct relatively sophisticated attacks. 

Many attacks continue to use Microsoft Word and Excel files as a way to hide the initial stage. In the LokiBot case, the attackers used an Excel file. 

Defenders should continually look out for intelligence on new campaigns and how attackers are refining the techniques, technology and procedures being used to fool users and compromise system, Cisco Talos stated. 

"Companies should expect that a few percentages of new malware may bypass their security systems," Unterbrink says. "Some users may always be tricked into opening malware."

Because attackers often spend days to weeks in a network to determine the most valuable data — often as a prelude to a ransomware attacks — detecting lateral movement, and not just the initial compromise, is important.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-23
Vulnerability in OpenGrok (component: Web App). Versions that are affected are 1.6.7 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise OpenGrok. Successful attacks of this vulnerability can result in takeover of OpenGrok. CVSS 3.1 ...
PUBLISHED: 2021-06-23
A vulnerability in SonicOS where the HTTP server response leaks partial memory by sending a crafted HTTP request, this can potentially lead to an internal sensitive data disclosure vulnerability.
PUBLISHED: 2021-06-23
A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10. A specially crafted series of HTTP requests can lead to command execution. An attacker must have administrator privileges to exploit this vulnerabilities.
PUBLISHED: 2021-06-23
Heap based buffer overflow in tsMuxer 2.6.16 allows attackers to cause a Denial of Service (DoS) by running the application with a crafted file.
PUBLISHED: 2021-06-23
Heap based buffer overflow in tsMuxer 2.6.16 allows attackers to cause a Denial of Service (DoS) by running the application with a crafted file.