Recently discovered a new type of malware that managed to bypass 56 separate antivirus products before finally getting caught.
Unit 42, a Palo Alto threat intelligence team, just publish a report about a piece of malware that managed to avoid detection by 56 massive antivirus products. According to the team, the way the malware was built, packaged, and deployed is very similar to various techniques used by the APT29 threat group, also known under the names Iron Ritual and Cozy Bear. This group has been attributed to the Russian Foreign Intelligence Service (SVR), indicating that the malware in question could be a nation-state affair.
According to Unit 42, the malware was first detected in May 2022, and was found hidden inside a rather strange file type: ISO, which is a disc image file used to transport the entire contents of an optical disc. . The file comes with a malicious payload that Unit 42 believes was created using a tool called Brute Ratel (BRC4). BRC4 prides itself on being difficult to detect, citing the fact that the tool’s authors reverse-engineered antivirus software to make the tool even more stealthy. Brute Ratel is particularly popular with APT29, adding further weight to the claim that this malware could be linked to the Russian-based Cozy Bear group.
The ISO file purports to be the curriculum vitae (resume) of someone named Roshan Bandara. Upon reaching the recipient’s email inbox, it does nothing, but when clicked, it mounts as a Windows drive and displays a file called “Roshan-Bandara_CV_Dialog.” At that point, it’s easy to be fooled: the file appears to be a typical Microsoft Word file, but if you click on it, it runs cmd.exe and proceeds to install BRC4.
Once this is done, any number of things could happen to your PC, it all depends on the attacker’s intentions.
Unit 42 notes that finding this malware is concerning for several reasons. For one thing, there is a high probability that it is linked to APT29. Aside from the reasons listed above, the ISO file was created on the same day that a new version of BRC4 was released. This suggests that state-backed cyberattack actors could be timing their attacks to deploy at the most opportune times. APT29 has also used malicious ISOs in the past, so everything seems to be online.
The near undetectability is worrying in itself. It takes a lot of work for malware to be this stealthy, and it suggests that such attacks could pose a real threat when used by the wrong team of people.
Amid frequent reports that cyber attacks have increased massively in recent years, one can expect that many users are now more aware of the dangers of trusting random people and their files too much. However, sometimes these attacks come from unexpected sources and in various forms. Huge Distributed Denial of Service (DDoS) attacks happen all the time, but these are more of a problem for business users. Sometimes software we know and trust can be used as a lure to trick us into trusting the download. How do you stay safe when danger seems to lurk around every corner?
First, it’s important to realize that many of these large-scale cyberattacks are aimed at targeting organizations—people are unlikely to be targeted. However, in this particular case where the malware is hidden inside an ISO file masquerading as a resume, it could plausibly be opened by people in various HR environments, including those in smaller organizations. Larger companies often have more robust IT departments that wouldn’t allow an unexpected ISO file to open, but you never know when something might slip through the cracks.
With the above in mind, it’s never a bad idea to follow a very simple rule that many of us still sometimes forget: never open attachments from unknown recipients. This can be difficult for an HR department that is actively collecting resumes, but you as an individual can implement that rule in your daily life and not miss a thing. It is also not a bad idea to choose one of the best options of antivirus software available. However, the best security can be obtained by simply browsing mindfully and not visiting websites that may not seem too legitimate, as well as being cautious with your emails.