Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11:20 AM
Connect Directly

'Magic' Malware Uses Custom Protocol And A 'Magic Code' Handshake

Researchers spot a nearly year-long attack campaign that employs some special tricks

Newly discovered malware that has been targeting thousands of businesses -- mostly in the financial, education, and telecom industries in the U.K. -- for almost a year employs its own custom protocol and a "magic code" to communicate with a victim's machine.

Aviv Raff, CTO at Seculert, says the attackers behind the campaign are gathering data from the infected businesses and are constantly adding new features to what appears to be a work in progress and unusual malware family.

"We currently only have visibility to the current phase of the campaign. I believe that, at the end, the attackers will sell the collected information, or provide access to selected targets, as part of an industrial espionage operation," Raff says. "Previous similar operations ended up with a wiper module being downloaded to cover their tracks. This might also be the case here."

The malware uses what it calls "magic code" for authenticating the infected machine. "Without this 'magic code,' the server will not reveal the command intended for victim," Raff says.

It also communicates with the infected machines via a custom-made protocol rather than the standard HTTP for command-and-control. The start of the conversation between the server and the infected machine is the specific code, dubbed "magic code" by the attackers. Seculert discovered the command-and-control server responding to the malware via the custom protocol to add a new backdoor: Username: WINDOWS, Password: MyPass1234. That gives the attacker remote access to the victim's machine.

Raff says it's still unclear who is behind it. But given that the malware appears to still be under development, more information on the intent of the attacks should emerge. "This campaign is using a custom-made malware and has gone undetected for almost a year now, targeting businesses. The attackers are collecting data from the targeted entities, and keep adding features, which will eventually reveal their real intent behind this campaign," he says.

The full blog post from Seculert's Raff, complete with screenshots and code snippets, is here.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
4/18/2013 | 6:27:04 PM
re: 'Magic' Malware Uses Custom Protocol And A 'Magic Code' Handshake

Courtland from OpenDNS here. According to our product team, the "magic code" is simply a custom authentication added, which is something that was mentioned in our role of DNS in C&C whitepaper. Its especially important with distributed peer-to-peer botnet topologies so that authorities can't hijack the command infrastructure.- This may be how this botnet is operating. For additional reading on the topic, check out the whitepaper, The Role of DNS in botnet Command and Control: http://info.umbrella.com/rs/op...
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: We need more votes, check the obituaries.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-26
KLog Server through 2.4.1 allows authenticated command injection. async.php calls shell_exec() on the original value of the source parameter.
PUBLISHED: 2021-01-26
The ftpd gem 0.2.1 for Ruby allows remote attackers to execute arbitrary OS commands via shell metacharacters in a LIST or NLST command argument within FTP protocol traffic.
PUBLISHED: 2021-01-26
SmartAgent 3.1.0 allows a ViewOnly attacker to create a SuperUser account via the /#/CampaignManager/users URI.
PUBLISHED: 2021-01-26
NVIDIA Jetson AGX Xavier Series, Jetson Xavier NX, TX1, TX2, Nano and Nano 2GB, L4T versions prior to 32.5, contains a vulnerability in the apply_binaries.sh script used to install NVIDIA components into the root file system image, in which improper access control is applied, which may lead to an un...
PUBLISHED: 2021-01-26
NVIDIA Tegra kernel in Jetson AGX Xavier Series, Jetson Xavier NX, TX1, TX2, Nano and Nano 2GB, all L4T versions prior to r32.5, contains a vulnerability in the INA3221 driver in which improper access control may lead to unauthorized users gaining access to system power usage data, which may lead to...