Thousands of U.K. business computers have been infected by espionage malware using a custom protocol to communicate with its command and control servers. Researchers at Israeli security company Seculert added that the malware is still percolating with a number of capabilities yet to be deployed.
The custom protocol has another unique element to it, in that it always initiates communication with a command that includes the string “some_magic_code1” as an authenticator. After an initial connection over HTTP, the interaction changes to the custom protocol and additional instructions are fed to infected machines.
Seculert CTO Aviv Raff said the malware, in one example, was instructed to add a new user to the infected system with a user name of WINDOWS and a password of MyPass1234 which would be used to give the attacker remote access to the compromised machine.
“This ‘magic malware’ — as we’ve dubbed it — is active, persistent and had remained undetected on the targeted machines for the past 11 months,” Raff wrote on the company’s blog.
Custom protocols used by malware to communicate with a remote server have part of some high-profile targeted attacks, including the one on RSA Security in 2011. In this case, targets in a number of U.K. industries, including financial services, education and telecommunications, have already been hit by the malware, which is capable of stealing data from compromised machines, enabling remote access for the attackers and hijacking Web browsing sessions.
“It can be used for espionage,” said Seculert CTO Aviv Raff in an email to Threatpost.
Raff said there are indications that the malware is still under development.
“We have seen several indication of features which are not yet implemented, and functions which are not yet used by the malware,” Raff said, adding that some of those features include the ability to open a browser on the victim machine via an RDP session.
“The missing and unused features are more technical. e.g. creating new processes under an impersonated user or parsing XML files,” Raff added.
Raff also said that Seculert cannot be certain how initial infections are happening.
“Currently, we don’t know the exact infection vector. But, because of the small presence of the dropper on the infected machine, it seems to be some sort of an exploit (spear phishing or drive-by download),” Raff said.
“As the malware is capable of setting up a backdoor, stealing information, and injecting HTML into the browser, we believe that the current phase of the attack is to monitor the activities of their targeted entities,” Raff added. “But, because this malware is also capable of downloading and executing additional malicious files, this might be only the first phase of a much broader attack.”