'Magic' Malware Uses Custom Protocol And A 'Magic Code' Handshake

Researchers spot a nearly year-long attack campaign that employs some special tricks

Dark Reading Staff, Dark Reading

April 17, 2013

2 Min Read

Newly discovered malware that has been targeting thousands of businesses -- mostly in the financial, education, and telecom industries in the U.K. -- for almost a year employs its own custom protocol and a "magic code" to communicate with a victim's machine.

Aviv Raff, CTO at Seculert, says the attackers behind the campaign are gathering data from the infected businesses and are constantly adding new features to what appears to be a work in progress and unusual malware family.

"We currently only have visibility to the current phase of the campaign. I believe that, at the end, the attackers will sell the collected information, or provide access to selected targets, as part of an industrial espionage operation," Raff says. "Previous similar operations ended up with a wiper module being downloaded to cover their tracks. This might also be the case here."

The malware uses what it calls "magic code" for authenticating the infected machine. "Without this 'magic code,' the server will not reveal the command intended for victim," Raff says.

It also communicates with the infected machines via a custom-made protocol rather than the standard HTTP for command-and-control. The start of the conversation between the server and the infected machine is the specific code, dubbed "magic code" by the attackers. Seculert discovered the command-and-control server responding to the malware via the custom protocol to add a new backdoor: Username: WINDOWS, Password: MyPass1234. That gives the attacker remote access to the victim's machine.

Raff says it's still unclear who is behind it. But given that the malware appears to still be under development, more information on the intent of the attacks should emerge. "This campaign is using a custom-made malware and has gone undetected for almost a year now, targeting businesses. The attackers are collecting data from the targeted entities, and keep adding features, which will eventually reveal their real intent behind this campaign," he says.

The full blog post from Seculert's Raff, complete with screenshots and code snippets, is here.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights