Backdoor Trojan With Junk Data to Avoid Detection

2May - by Dawood Khan - 0 - In News

A malware coder is injecting megabytes of junk data inside his malicious payloads, hoping to avoid detection by some antivirus solutions or delay investigations of infosec professionals.

Google Patches 6 Critical Android Mediaserver Bugs Google has released its monthly security patches for Android this week, addressing 17 critical vulnerabilities, 6 of which affect Android Mediaserver component that could be used to execute malicious code remotely.Besides patches for Mediaserver, Google also fixed 4 critical ...

Known only as "123", this malware coder has been active since 2015, when he was first spotted deploying the XXMM malware. His activity falls in the category of targeted attacks, this crook focusing on infecting computers at Japanese companies for the purpose of exfiltrating sensitive data.

123 malware author behind three malware families

According to reports, this threat actor is behind at least three malware families, named XXMM, ShadowWali, and Wali, respectively.

The interest in 123's activities piqued again over the past month after they unearthed two new malware families created by the same coder.

The first one they've discovered was a new backdoor trojan called Wali, which they saw used in live attacks in 2016 and 2017.

Two weeks after Kaspersky's initial Wali report, security researchers from Cybereason unearthed another backdoor, which they named ShadowWali due to the many features it shared with Wali.

Amazon Self-Driving Vehicles for More Efficient, Cheaper Delivery Amazon has set up a skunkworks project to explore using self-driving vehicles to deliver packages. Amazon wouldn’t necessarily develop the vehicles themselves. Instead, it wants to see how driverless vehicles would improve package delivery and make Amazon more efficient.The...

ShadowWali is very likely an earlier version of Wali

Researchers uncovered attacks against Japanese companies with ShadowWali between 2015 and mid-2016, just before the Wali attacks.

Even if there are many differences between the two, experts believe ShadowWali was an earlier version of Wali, a theory supported by the fact that ShadowWali only supported 32-bit architectures, while Wali runs on both 32-bit and 64-bit systems, a clear evolution from the first.

Furthermore, their modus operandi is almost the same. An attack starts after a user downloads the malware from a compromised website. Running the initial payload will start a series of checks, which if satisfied, will end up downloading the final ShadowWali / Wali backdoor.

ShadowWali and Wali are inflated with junk data

Both ShadowWali and Wali are packed inside huge files, ranging from 50 to 200 MBs. Most of the data packed around ShadowWali and Wali is junk data with no real purpose. This is strange, as most malware is usually very small, only a few KBs, and very rarely reaching MB levels.

According to security experts, they believe 123 is under the false impression that by packing malware in large files, security products won't scan the files, thinking they're legitimate apps, or due to performance reasons.

Researchers also put forward the theory that another reason why 123 is packing loads of junk data around ShadowWali and Wali payloads is that he is trying to delay investigations from security firms. The reason is that YARA rules, special filters used by infosec professionals to track down malware, are often configured to look at small files, rather than larger files.

Credit Card with Built-In Fingerprint Scanner MasterCard has unveiled its brand new payment card that has a built-in biometric fingerprint scanner, allowing customers to authorize payments with their fingerprint, without requiring a PIN code or a signature.The company is already testing the new biometric payment cards, c...

Researcher uncover ShadowWali builder

Further sleuthing from Cybereason experts uncovered a utility that appears to be the ShadowWali builder, an application used to assemble the malware.

Even if it's named "xxmm2_build," Cybereason's Assaf Dahan says the output of this builder is more consistent with ShadowWali samples, rather than XXMM backdoors.

Further, the usage of the term "rootkit" in the builder's interface isn't consistent with the output, as samples operated in user mode only.

The builder also allowed researchers insight into the malware's C&C server comms, which rely on steganography to hide second-stage malware downloads inside JPG images, and a PHP tunnel to exchange data with infected hosts.

 

Leave a Reply

Your email address will not be published. Required fields are marked *