Author of Malware Inflates Backdoor Trojan with Scrap Data Hoping to Avoid Detection
Dubbed ShadowWali by Cybereason, security firm, ShadowWali collects information regarding compromised machines as well as their networks, and also steals sensitive information along with credentials. Operators of Wali then can further use this information for moving laterally in one organization and compromise many more machines.
The malware coder injects megabytes of scrap data inside the malicious payloads, with the hope of avoiding detection by few antivirus solutions or delaying the investigations of the infosec professionals.
This malware coder recognized only as "123" was active since 2015, when spotted first time deploying XXMM malware. Bleepingcomputer.com posted on May 1st, 2017, stating that his action falls in targeted attacks category, and this crook focuses on infecting the computers in Japanese companies to exfiltrate sensitive data.
Most of Wali's samples are found injecting the malicious payloads in Internet Explorer. Researchers noted that "whether it's a case of two different backdoors or an evolution of one malware over two years is a matter of interpretation." Till date, ShadowWali and Wali are actively targeting the organisations of Japan.
Identity of 123 author is still not known, however there are signals suggesting that the threat actor lives in Asia. Several C&C domains as well as IPs lead to the legitimate Japanese websites and/or websites related to Japan, which were compromised. Moreover, few C&C domains observed were suspected to be bogus websites, which imitate the legitimate sites of Japanese businesses. Cybereason says that several compromised sites were hosted by the GMO Internet Group, one of the largest hosting companies of Japan.
The builder further allowed insight of the researchers' into C&C server comms of malware's, which depend on the steganography for hiding the second-stage malware, downloading inside the JPG images, and the PHP tunnel for exchanging data with the infected hosts.
Experts say that there is proof also, which points that 123 is located in the Asia, although no definitive and exact attribute can be made in this juncture.
Researchers noted that: "compared to other modern backdoors, the xxmm backdoor family doesn't stand out or seem very sophisticated." But, the backdoors proved to be very effective because they successfully have infected many endpoints over 2years, while avoiding the traditional products of security.
» SPAMfighter News - 5/4/2017
We are happy to see you are reading our IT Security News.
We do believe, that the foundation for a good work environment starts with fast, secure and high performing computers. If you agree, then you should take a look at our Business Solutions to Spam Filter & Antivirus for even the latest version of Exchange Servers - your colleagues will appreciate it!