Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:06 PM

Financial Malware Detects Remote Desktop Environments To Evade Researchers

'Shylock' malware joins the list of malicious programs enhancing their defenses to avoid analysis by researchers

Like any other group of business people, cybercriminals want to protect their investments.

In the case of malware, that means thwarting research and analysis. According to Trusteer, the author of the financial malware platform known as Shylock has added a new mechanism to identify and avoid remote desktop environments commonly used by researchers when analyzing malware.

"Suspected malware samples are collected for analysis and often placed onto machines that are isolated in an operations center ("lab")," explains Gal Frishman, malware research team leader at Trusteer, in a blog post. "Rather than sitting in front of a rack of physical machines in a cold basement lab, researchers use remote desktop connections to study malware from the convenience and coziness of their offices.

"It is this human weakness that Shylock exploits," Frishman continues. "We have discovered advanced malware that is now capable of detecting remote desktop environments to evade researchers."

The Shylock dropper does this by feeding invalid data into a particular routine and then watching the error code that gets returned. It uses this return code to differentiate between normal desktops and lab environments, the researcher explains. When executed from a remote desktop session, the return code will be different and the malware will not install.

"The dropper dynamically loads Winscard.dll and calls the functionSCardForgetReaderGroupA(0, 0)," writes Fishman. "The malware proceeds as expected only if the return value is either 0x80100011 (SCARD_E_INVALID_VALUE) or 0x2 (ERROR_FILE_NOT_FOUND). We noticed that when the dropper is executed locally the return value is 0x80100011, but when it is executed from a remote desktop session the return value is 0x80100004 (SCARD_E_INVALID_PARAMETER)."

Malware authors are continuously developing techniques to evade sandboxes used for analysis, notes Vikram Thakur, principal manger at Symantec Security Response.

"There are many virtual environments that are detected by malware these days," he tells Dark Reading. "In fact, just recently we spotted two new techniques added to the list of techniques used by malware to evade sandboxes -- monitoring of mouse movement and monitoring for code to lay dormant for five minutes before execution.

"Avoiding remote desktop sessions can, indeed, work to accomplish the same purpose," he adds. "At the end of the day, malware authors realize that organizations use automated techniques in order to determine the capabilities of malware. By investing development time to circumvent sandboxes, they are trying to buy themselves some time before they get detected."

At the Black Hat security conference (PDF) this year, researchers presented techniques they said could make malware analysis unscalable by designing malware that fails to execute correctly on any environment other than the one originally affected.

In the coming year, those types of techniques will become more common, predicts Tomer Teller, security evangelist with Check Point Software Technologies.

"Malware will be more dedicated and will attack only computers with a specific configuration," he says. "The ability of malware to thwart analysis will improve in the new year."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-17
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivile...
PUBLISHED: 2021-04-17
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (ker...
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS Build 20210202 and later Q...
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...