Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11:20 AM
Connect Directly

'Magic' Malware Uses Custom Protocol And A 'Magic Code' Handshake

Researchers spot a nearly year-long attack campaign that employs some special tricks

Newly discovered malware that has been targeting thousands of businesses -- mostly in the financial, education, and telecom industries in the U.K. -- for almost a year employs its own custom protocol and a "magic code" to communicate with a victim's machine.

Aviv Raff, CTO at Seculert, says the attackers behind the campaign are gathering data from the infected businesses and are constantly adding new features to what appears to be a work in progress and unusual malware family.

"We currently only have visibility to the current phase of the campaign. I believe that, at the end, the attackers will sell the collected information, or provide access to selected targets, as part of an industrial espionage operation," Raff says. "Previous similar operations ended up with a wiper module being downloaded to cover their tracks. This might also be the case here."

The malware uses what it calls "magic code" for authenticating the infected machine. "Without this 'magic code,' the server will not reveal the command intended for victim," Raff says.

It also communicates with the infected machines via a custom-made protocol rather than the standard HTTP for command-and-control. The start of the conversation between the server and the infected machine is the specific code, dubbed "magic code" by the attackers. Seculert discovered the command-and-control server responding to the malware via the custom protocol to add a new backdoor: Username: WINDOWS, Password: MyPass1234. That gives the attacker remote access to the victim's machine.

Raff says it's still unclear who is behind it. But given that the malware appears to still be under development, more information on the intent of the attacks should emerge. "This campaign is using a custom-made malware and has gone undetected for almost a year now, targeting businesses. The attackers are collecting data from the targeted entities, and keep adding features, which will eventually reveal their real intent behind this campaign," he says.

The full blog post from Seculert's Raff, complete with screenshots and code snippets, is here.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
4/18/2013 | 6:27:04 PM
re: 'Magic' Malware Uses Custom Protocol And A 'Magic Code' Handshake

Courtland from OpenDNS here. According to our product team, the "magic code" is simply a custom authentication added, which is something that was mentioned in our role of DNS in C&C whitepaper. Its especially important with distributed peer-to-peer botnet topologies so that authorities can't hijack the command infrastructure.- This may be how this botnet is operating. For additional reading on the topic, check out the whitepaper, The Role of DNS in botnet Command and Control: http://info.umbrella.com/rs/op...
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
State of SMB Insecurity by the Numbers
Ericka Chickowski, Contributing Writer,  10/17/2019
Tor Weaponized to Steal Bitcoin
Dark Reading Staff 10/18/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-22
Information Leakage in PPPoE Packet Padding in AVM Fritz!Box 7490 with Firmware versions Fritz!OS 6.80 and 6.83 allows physically proximate attackers to view slices of previously transmitted packets or portions of memory via via unspecified vectors.
PUBLISHED: 2019-10-22
Apache Traffic Server is vulnerable to HTTP/2 setting flood attacks. Earlier versions of Apache Traffic Server didn't limit the number of setting frames sent from the client using the HTTP/2 protocol. Users should upgrade to Apache Traffic Server 7.1.7, 8.0.4, or later versions.
PUBLISHED: 2019-10-22
The Sangoma Session Border Controller (SBC) 2.3.23-119 GA web interface is vulnerable to Argument Injection via special characters in the username field. Upon successful exploitation, a remote unauthenticated user can create a local system user with sudo privileges, and use that user to login to the...
PUBLISHED: 2019-10-22
The Sangoma Session Border Controller (SBC) 2.3.23-119 GA web interface is vulnerable to an authentication bypass via an argument injection vulnerability involving special characters in the username field. Upon successful exploitation, a remote unauthenticated user can login into the device's admin ...
PUBLISHED: 2019-10-22
GNU libidn2 before 2.2.0 fails to perform the roundtrip checks specified in RFC3490 Section 4.2 when converting A-labels to U-labels. This makes it possible in some circumstances for one domain to impersonate another. By creating a malicious domain that matches a target domain except for the inclusi...