Stealthy Malware Flies Under AV Radar with Advanced Obfuscation

A threat campaign active since January customizes long-used droppers to infect victim machines and lift credentials and other data from browsers, according to Cisco Talos.

Researchers warn hackers are putting a new spin on old injection techniques and successfully end-running endpoint protection. They are tracking a campaign, that kicked off in January, that is still going strong exploiting weaknesses in web browsers. The objective is to hide in the background of infected systems in order to steal user passwords, track online habits and hijack personal information, according to a Cisco Talos report.

Cisco Talos said the wave of ongoing campaigns use custom droppers to plant information-hijacking malware such as Agent Tesla and Loki-bot into common application processes.

“The adversaries use custom droppers, which inject the final malware into common processes on the victim machine,” wrote Holger Unterbrink, a researcher with Cisco Talos, a blog post about the new research. “Once infected, the malware can steal information from many popular pieces of software, including the Google Chrome, Safari and Firefox web browsers.”
Unterbrink said the adversaries use injection techniques that have been employed for many years, but with new, custom capabilities that are making them difficult for anti-virus (AV) protections to detect, Unterbrink wrote.

“Any internet user is a potential target of this malware, and if infected, has the potential to completely take away a user’s online privacy,” he warned.

Multistage Attack Chain

The dropper campaigns researchers observed work in several stages that use “obfuscation chains” to elude modern AV protections, Unterbrink said.

The first stage is typically an email with a malicious attachment that is actually an ARJ archive–technology from the 1990s used by software pirates to convert files into archives.

“ARJ can split the archive into multiple smaller files. This made it easier to share these files over dial-up connections,” he explained in the post.

Instead of splitting into multiple files, however, adversaries in the recent dropper campaigns attach a single executable file to the attachment. Threat attackers likely are using this old archive format because they hope to bypass weak email security gateways, Unterbrink added.

Operation Obfuscation

If the file is opened, it goes through several more processes to elude detection, including decryption just before runtime, and never on the harddrive, Unterbrink wrote. In this way, it can inject a dropper onto a victim’s machine, such as AgentTesla, that is capable of stealing credentials from most browsers, email clients, SSH/SFTP/FTP clients and other software, he said.

The dropper researchers recently observed in the wild supports exfiltration via SMTP, FTP and HTTP, but in the case described in the blog post, used only SMTP, Unterbrink said.

“We think it is close to the customized Agent Tesla version that’s been circulating online since several months,” he wrote in the post.

The campaigns researchers observed is yet more evidence of how bad actors are crafting modern malware to fly under the radar and avoid detection by current AV and basic security protections, Unterbrink said. Moreover, even known malware can be hidden in this way.

“The adversaries use complex droppers that leverage several different obfuscation techniques to make it as hard as possible for antivirus programs to detect the malware,” he wrote in the post. “By using these droppers, they can quickly and easily change the final malware for their campaigns.”

Is MFA enough to protect modern enterprises in the peak era of data breaches? How can you truly secure consumer accounts? Prevent account takeover? Find out: Catch our free Threatpost webinar, “Trends in Fortune 1000 Breach Exposure” to hear advice from breach expert Chip Witt of SpyCloud. Click here to register.

Suggested articles