Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

Malware Developers Refresh Their Attack Tools

Cisco analyzes the latest version of the LokiBot malware for stealing credentials, finding that its developers have added more misdirection and anti-analysis features.

The developers of attack tools continue to make headway in hobbling defenders from detecting and analyzing their malware, creating more complex infection chains to stymy defenses, an analysis by the Cisco Talos research team stated this week.

The researchers analyzed the latest attack techniques associated with an information-stealing campaign, known as LokiBit, and found that its developers have added a third stage to its process of compromising systems — along with more encryption — as a way to escape detection. The attacks also use a variety of other attack techniques, such as socially engineering users to enable macros on Microsoft Office, using images to hide code, and widespread encryption of resources.

Related Content:

Microsoft: Ransomware & Nation-State Attacks Rise, Get More Sophisticated

How Data Breaches Affect the Enterprise

New From The Edge: How the Shady Zero-Day Sales Game Is Evolving

While attackers will do the minimum necessary to successfully compromise systems, they need to do more because defenders are getting better, says Holger Unterbrink, a threat researcher with Cisco Talos.

"Operating systems got much more secure than they were a few years ago, [so] attackers need to adapt," he says. "Malware is a business [and so they have to build] malware which is good enough to bypass security measures on a reasonable number of devices."

The LokiBot malware is not alone in its growing sophistication to prevent analysis and detection. In October, Facebook revealed that adware used session cookies, geolocation spoofing, and changing of security settings to keep persistence on its platform, resulting in charges of more than $4 million. In general, attackers are more likely to use the one-off Web addresses to fool blocklists, focus on reconnaissance of targeted networks, and use credential harvesting to gain access, according to Microsoft's "Digital Defense Report," published in September.

The attack trends underscore that a multilayered approach to defenses is necessary to detect these attacks. While adversaries may manage to bypass one or more security measures, more potential points of detection will mean a greater chance of detecting intrusions before they become breaches.

"Attackers will do what works," Unterbrink says. "If we would prepare ourselves for a certain new bypass technique, they would just use a different one. It is more important to track, find, and detect new techniques used in the wild as soon as possible."

In total, the LokiBot dropper uses three stages, each with a layer of encryption, to attempt to hide the eventual source of code. The LokiBot example shows that threat actors are adopting more complex infection chains and using more sophisticated techniques to install their code and compromise systems. 

Distributing malicious actions over a number of stages is a good way to hide, says Unterbrink.

"Due to increased operation system security and endpoint and network protection, malware needs to distribute the malicious infection stages over different techniques," he says. "In some cases, multiple stages are also necessary because of a complex commercial malware distribution system used by the adversaries to sell their malware in the underground as a service."

Phishing attacks conducted through an online cybercrime service, for example, may limit how much an attacker can do in that first stage. 

The increase in sophistication of the attack tools does not necessarily mean that attackers are becoming more sophisticated as well. A variety of cybercrimes services are available to allow even unskilled attackers to conduct relatively sophisticated attacks. 

Many attacks continue to use Microsoft Word and Excel files as a way to hide the initial stage. In the LokiBot case, the attackers used an Excel file. 

Defenders should continually look out for intelligence on new campaigns and how attackers are refining the techniques, technology and procedures being used to fool users and compromise system, Cisco Talos stated. 

"Companies should expect that a few percentages of new malware may bypass their security systems," Unterbrink says. "Some users may always be tricked into opening malware."

Because attackers often spend days to weeks in a network to determine the most valuable data — often as a prelude to a ransomware attacks — detecting lateral movement, and not just the initial compromise, is important.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27180
PUBLISHED: 2021-04-14
An issue was discovered in MDaemon before 20.0.4. There is Reflected XSS in Webmail (aka WorldClient). It can be exploited via a GET request. It allows performing any action with the privileges of the attacked user.
CVE-2021-27181
PUBLISHED: 2021-04-14
An issue was discovered in MDaemon before 20.0.4. Remote Administration allows an attacker to perform a fixation of the anti-CSRF token. In order to exploit this issue, the user has to click on a malicious URL provided by the attacker and successfully authenticate into the application. Having the va...
CVE-2021-27182
PUBLISHED: 2021-04-14
An issue was discovered in MDaemon before 20.0.4. There is an IFRAME injection vulnerability in Webmail (aka WorldClient). It can be exploited via an email message. It allows an attacker to perform any action with the privileges of the attacked user.
CVE-2021-27183
PUBLISHED: 2021-04-14
An issue was discovered in MDaemon before 20.0.4. Administrators can use Remote Administration to exploit an Arbitrary File Write vulnerability. An attacker is able to create new files in any location of the filesystem, or he may be able to modify existing files. This vulnerability may directly lead...
CVE-2021-29449
PUBLISHED: 2021-04-14
Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Multiple privilege escalation vulnerabilities were discovered in version 5.2.4 of Pi-hole core. See the referenced GitHub security advisory for details.