A new kind of malware was recently discovered that managed to slip past 56 separate antivirus products before finally getting caught.
The malware, when executed, can cause some serious damage to your device — and it seems to be so well made that it might be the product of nation-state actors. Opening an email attachment is all it takes to grant it enough entry to wreak havoc.
Unit 42, a threat intelligence team from Palo Alto, has just published a report on a piece of malware that managed to avoid detection from a massive 56 antivirus products. According to the team, the way the malware was built, packaged, and deployed is very similar to various techniques used by the APT29 threat group, also known under the names of Iron Ritual and Cozy Bear. This group has been attributed to Russia’s Foreign Intelligence Service (SVR), which indicates that the malware in question could be a nation-state affair.
According to Unit 42, the malware was first spotted in May 2022, and it was found hidden within a pretty strange file type — ISO, which is a disk image file used to carry the entire contents of an optical disc. The file comes with a malicious payload that Unit 42 believes was created using a tool called Brute Ratel (BRC4). BRC4 prides itself on being hard to detect, citing the fact that the tool’s authors reverse-engineered antivirus software in order to make the tool even stealthier. Brute Ratel is particularly popular with APT29, adding further weight to the claim that this malware could be linked to the Russia-based Cozy Bear group.
The ISO file pretends to be the curriculum vitae (resume) of someone named Roshan Bandara. Upon arrival in the recipient’s email mailbox, it doesn’t do anything, but when clicked, it mounts as a Windows drive and displays a file called “Roshan-Bandara_CV_Dialog”. At that point, it’s easy to get fooled — the file appears to be a typical Microsoft Word file, but if you click it, it executes cmd.exe and proceeds to install BRC4.
When that’s done, any number of things could happen to your PC — it all depends on the attacker’s intentions.
Unit 42 notes that finding this malware is worrying for a number of reasons. For one, there is a high probability that it is linked to APT29. Aside from the reasons listed above, the ISO file was created on the same day as when a new version of BRC4 was made public. This suggests that state-backed cyber attack actors could be timing their attacks to deploy them at the most opportune times. APT29 has also used malicious ISOs in the past, so everything seems to fall in line.
The near-undetectability is worrying in itself. For malware to be that stealthy takes a lot of work, and it suggests that such attacks could pose a real threat when used by the wrong team of people.
How can you stay safe?
Amidst frequent reports that cyber attacks have been on a massive rise in recent years, one can hope that many users are now more conscious of the dangers of trusting random people and their files all too much. However, sometimes these attacks come from unexpected sources and in various forms. Enormous distributed denial-of-service (DDoS) attacks happen all the time, but these are more of a problem for enterprise users. Sometimes, software that we know and trust can be used as a decoy to fool us into trusting the download. How to stay safe when danger seems to be lurking around every corner?
First of all, it’s important to realize that a lot of these large-scale cyberattacks are made to target organizations — it’s unlikely that individuals would be targetted. However, in this particular case where the malware is hidden within an ISO file that poses as a resume, it could plausibly be opened by people in various HR settings, including those in smaller organizations. Bigger businesses often have more robust IT departments that wouldn’t allow the opening of an unexpected ISO file — but you never know when something might slip through the cracks.
With the above in mind, it’s never a bad idea to follow a very simple rule that many of us still forget at times — never open attachments from unknown recipients. This can be difficult for an HR department that’s actively collecting resumes, but you, as an individual, can implement that rule into your daily life and not miss out on anything. It’s also not a bad idea to pick up one of the best antivirus software options available. However, the greatest security can be gained by simply browsing mindfully and not visiting websites that might not seem too legit as well as being cautious about your emails.
