Backdoor Trojan With Junk Data to Avoid Detection

2May - by Dawood Khan - 0 - In News

A malware coder is injecting megabytes of junk data inside his malicious payloads, hoping to avoid detection by some antivirus solutions or delay investigations of infosec professionals.

CryptoMix Ransomware Using the Wallet Extension A new CryptoMix, or CryptFile2, variant was released that is now using the .ID.WALLET extension for encrypted files. This is very annoying as it makes it more difficult for victims to easily identify what ransomware they are infected with when they perform web searches. This is b...

Known only as "123", this malware coder has been active since 2015, when he was first spotted deploying the XXMM malware. His activity falls in the category of targeted attacks, this crook focusing on infecting computers at Japanese companies for the purpose of exfiltrating sensitive data.

123 malware author behind three malware families

According to reports, this threat actor is behind at least three malware families, named XXMM, ShadowWali, and Wali, respectively.

The interest in 123's activities piqued again over the past month after they unearthed two new malware families created by the same coder.

The first one they've discovered was a new backdoor trojan called Wali, which they saw used in live attacks in 2016 and 2017.

Two weeks after Kaspersky's initial Wali report, security researchers from Cybereason unearthed another backdoor, which they named ShadowWali due to the many features it shared with Wali.

NSA Hacking Tools Used to Hack Thousands of Windows PCs Last week, the mysterious hacking group known as Shadow Brokers leaked a set of Windows hacking tools targeting Windows XP, Windows Server 2003, Windows 7 and 8, and Windows 2012, allegedly belonged to the NSA's Equation Group.What's Worse? Microsoft quickly downplayed the se...

ShadowWali is very likely an earlier version of Wali

Researchers uncovered attacks against Japanese companies with ShadowWali between 2015 and mid-2016, just before the Wali attacks.

Even if there are many differences between the two, experts believe ShadowWali was an earlier version of Wali, a theory supported by the fact that ShadowWali only supported 32-bit architectures, while Wali runs on both 32-bit and 64-bit systems, a clear evolution from the first.

Furthermore, their modus operandi is almost the same. An attack starts after a user downloads the malware from a compromised website. Running the initial payload will start a series of checks, which if satisfied, will end up downloading the final ShadowWali / Wali backdoor.

ShadowWali and Wali are inflated with junk data

Both ShadowWali and Wali are packed inside huge files, ranging from 50 to 200 MBs. Most of the data packed around ShadowWali and Wali is junk data with no real purpose. This is strange, as most malware is usually very small, only a few KBs, and very rarely reaching MB levels.

According to security experts, they believe 123 is under the false impression that by packing malware in large files, security products won't scan the files, thinking they're legitimate apps, or due to performance reasons.

Researchers also put forward the theory that another reason why 123 is packing loads of junk data around ShadowWali and Wali payloads is that he is trying to delay investigations from security firms. The reason is that YARA rules, special filters used by infosec professionals to track down malware, are often configured to look at small files, rather than larger files.

Linux bug leaves 1.4 billion Android users vulnerable An estimated 80 percent of Android phones contain a recently discovered vulnerability that allows attackers to terminate connections and, if the connections aren't encrypted, inject malicious code or content into the parties' communications, researchers from mobile security firm ...

Researcher uncover ShadowWali builder

Further sleuthing from Cybereason experts uncovered a utility that appears to be the ShadowWali builder, an application used to assemble the malware.

Even if it's named "xxmm2_build," Cybereason's Assaf Dahan says the output of this builder is more consistent with ShadowWali samples, rather than XXMM backdoors.

Further, the usage of the term "rootkit" in the builder's interface isn't consistent with the output, as samples operated in user mode only.

The builder also allowed researchers insight into the malware's C&C server comms, which rely on steganography to hide second-stage malware downloads inside JPG images, and a PHP tunnel to exchange data with infected hosts.

 

Leave a Reply

Your email address will not be published. Required fields are marked *