A mysterious strain of malware, designed for cyber espionage, is targeting UK businesses.
Israeli security company Seculert has called the code 'magic malware' and describes it as "active and persistent". According to a company blog, the malware remained undetected on victim machines for approximately 11 months.
The Register reported that cyber criminals have targeted several thousand organisations in the UK across various industries, including telecoms, finance and education.
Seculert's CTO, Aviv Raff, says the malware employs a custom protocol to communicate with its command and control (C&C) servers. He added that the malicious code is still developing, and hasn't made use of all its features and functions yet.
The company adds that it originally flagged the sample due to its unusual behaviour for a legitimate executable. "Usually, when a malware initiates a communication with a C2 server, the first response is a setting, telling the malware what to do next."
Instead, Raff says, the C2 server told the malware to start communicating with the same IP address and port, and following that, instead of using the HTTP protocol, the malware had to communicate with the C2 server using a custom-made protocol.
In fact, this element of the custom protocol lent the malware its name. The "magic" malware receives an initial response to use "some_magic_code1" as an authenticator.
Seculert cited one instance in which the malware was told to add a new user to the infected system with a username of WINDOWS and a password of MyPass1234, thus giving the attacker remote access to the compromised PC.
At present, Seculert does not know what the exact infection vector is, but speculates that, due to the small presence of the dropper - or component - of the malware designed to install the malware on the machine, it appears to be an exploit of some kind, either spear phishing or a drive-by download.
Although the attackers' true intentions have not been revealed because the malware is able to set up a back door, steal information, and inject HTML into the browser, Seculert believes, at the moment, the attackers are monitoring activities of their targets. "But, because this malware is also capable of downloading and executing additional malicious files, this might be only the first phase of a much broader attack," wrote Raff in conclusion.
Share
