Unlike attacks which exploit an OS or application vulnerability, this malware simply needs the end-user to run the executable once extracted from the RAR file. The email included an attachment named ‘PROFORMA_INVOICE.rar’, which is a valid extractable RAR archive containing an executable file. The malware was sent by email from a fake Gmail address with the subject “PROFORMA INVOICE”, appearing to present a previously discussed possible purchase deal from a seller. (VirusTotal is a Google-owned service that analyzes suspicious files and URLs and maintains a malware database that is shared back to the research community.) At the time of detection, the malware sample was unknown to the VirusTotal community and was able to pass numerous different antivirus engines with no detections. On December 31, 2013, Check Point ThreatCloud received an alert triggered by a Threat Emulation detection in a customer network. In addition to detecting and blocking this dangerous malware through the ThreatCloud network, this catch by Threat Emulation highlights the inner workings of the family of advanced attacks that are changing both the threat landscape, and the range of solutions that security managers need in order to defend their networks and their data. Although this sample was able to evade most AV solutions, Threat Emulation was able to reveal it and additional investigation by our research team traced it to a malware campaign that has been detected at work in Europe and Latin America. These techniques, known as “crypting,” enable malware writers to create unknown variants of proven, highly effective malware that evade AV detection and extend the reach of existing bot infrastructure.Ĭheck Point Threat Emulation recently demonstrated that not all defenses are so easily evaded when it detected and blocked a crypted and previously unknown malware variant designed to deliver the DarkComet remote administration tool (RAT). Malware writers employ a variety of specialized obfuscation techniques to render known malware invisible to existing antivirus defenses.
0 Comments
Leave a Reply. |