The implant is a multi-threaded DLL-library, which provides the grouping full access to the target system and control over it.
“Analysis reveals the implant is a multi-threaded DLL backdoor that gives the threat actor (TA) full access to, and control of, the target host. When commanded by C2, the implant can upload or download files, create processes, interact with the host via a command shell and connect to C2 according to a defined sleep/activity schedule”, — report Cylance specialists.
This approach demonstrates the sophisticated work of cybercriminals. The authors of the implant mask it using such well-known libraries as OpenSSL and the widely used POCO C++ compiler, as a result of which 99% of more than 3 megabytes of code are classified as legitimate. In this way, attackers try to get around evolving security systems, experts suggest.
“Since the file is packaged as a DLL, the intention would be to inject it into a long-running process that is granted Internet access (such as a NetSvc service group) or one having local firewall permissions. We do not believe this DLL is intended to operate as a module for a larger tool”, — conclude Cylance researchers.
In the past, cybercriminals used various methods of evading computer protection systems, most often they included encrypting parts of a file to prevent antivirus detection. In addition, cybercriminals used domain generation algorithms to subsequently download code from hard-to-reach locations, bypassing antivirus scans.
Masking malware as legitimate code is an old cybercriminal technique. Cheating is a key part of their toolkit, but convincing machine learning algorithms designed to detect malicious code functions is much more difficult.
Read also: Despite the venerable age of 9 years, China Chopper backdoor is still effective
APT28 has been operating since at least 2007 and now specializes in stealing confidential information related to government and military structures. APT28 systematically develops its malware and uses sophisticated coding methods that complicate the analysis of its malware.
About Pbmsoultions.com Pbmsoultions.com pop-ups can not launch out of the blue. If you have actually…
About Prizestash.com Prizestash.com pop-ups can not expose out of the blue. If you have actually…
About Verifiedbreaking.com Verifiedbreaking.com pop-ups can not launch out of nowhere. If you have actually clicked…
About Themoneyminutes.com Themoneyminutes.com pop-ups can not launch out of the blue. If you have actually…
About News-xcidizi.com News-xcidizi.com pop-ups can not introduce out of nowhere. If you have clicked some…
About Everytraffic-flow.com Everytraffic-flow.com pop-ups can not launch out of nowhere. If you have actually clicked…