Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

Malware Developers Refresh Their Attack Tools

Cisco analyzes the latest version of the LokiBot malware for stealing credentials, finding that its developers have added more misdirection and anti-analysis features.

The developers of attack tools continue to make headway in hobbling defenders from detecting and analyzing their malware, creating more complex infection chains to stymy defenses, an analysis by the Cisco Talos research team stated this week.

The researchers analyzed the latest attack techniques associated with an information-stealing campaign, known as LokiBit, and found that its developers have added a third stage to its process of compromising systems — along with more encryption — as a way to escape detection. The attacks also use a variety of other attack techniques, such as socially engineering users to enable macros on Microsoft Office, using images to hide code, and widespread encryption of resources.

Related Content:

Microsoft: Ransomware & Nation-State Attacks Rise, Get More Sophisticated

How Data Breaches Affect the Enterprise

New From The Edge: How the Shady Zero-Day Sales Game Is Evolving

While attackers will do the minimum necessary to successfully compromise systems, they need to do more because defenders are getting better, says Holger Unterbrink, a threat researcher with Cisco Talos.

"Operating systems got much more secure than they were a few years ago, [so] attackers need to adapt," he says. "Malware is a business [and so they have to build] malware which is good enough to bypass security measures on a reasonable number of devices."

The LokiBot malware is not alone in its growing sophistication to prevent analysis and detection. In October, Facebook revealed that adware used session cookies, geolocation spoofing, and changing of security settings to keep persistence on its platform, resulting in charges of more than $4 million. In general, attackers are more likely to use the one-off Web addresses to fool blocklists, focus on reconnaissance of targeted networks, and use credential harvesting to gain access, according to Microsoft's "Digital Defense Report," published in September.

The attack trends underscore that a multilayered approach to defenses is necessary to detect these attacks. While adversaries may manage to bypass one or more security measures, more potential points of detection will mean a greater chance of detecting intrusions before they become breaches.

"Attackers will do what works," Unterbrink says. "If we would prepare ourselves for a certain new bypass technique, they would just use a different one. It is more important to track, find, and detect new techniques used in the wild as soon as possible."

In total, the LokiBot dropper uses three stages, each with a layer of encryption, to attempt to hide the eventual source of code. The LokiBot example shows that threat actors are adopting more complex infection chains and using more sophisticated techniques to install their code and compromise systems. 

Distributing malicious actions over a number of stages is a good way to hide, says Unterbrink.

"Due to increased operation system security and endpoint and network protection, malware needs to distribute the malicious infection stages over different techniques," he says. "In some cases, multiple stages are also necessary because of a complex commercial malware distribution system used by the adversaries to sell their malware in the underground as a service."

Phishing attacks conducted through an online cybercrime service, for example, may limit how much an attacker can do in that first stage. 

The increase in sophistication of the attack tools does not necessarily mean that attackers are becoming more sophisticated as well. A variety of cybercrimes services are available to allow even unskilled attackers to conduct relatively sophisticated attacks. 

Many attacks continue to use Microsoft Word and Excel files as a way to hide the initial stage. In the LokiBot case, the attackers used an Excel file. 

Defenders should continually look out for intelligence on new campaigns and how attackers are refining the techniques, technology and procedures being used to fool users and compromise system, Cisco Talos stated. 

"Companies should expect that a few percentages of new malware may bypass their security systems," Unterbrink says. "Some users may always be tricked into opening malware."

Because attackers often spend days to weeks in a network to determine the most valuable data — often as a prelude to a ransomware attacks — detecting lateral movement, and not just the initial compromise, is important.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-03-04
Xerox AltaLink B8045/B8055/B8065/B8075/B8090 and C8030/C8035/C8045/C8055/C8070 multifunction printers with software releases before 101.00x.099.28200 allow an attacker to execute an unwanted binary during a exploited clone install. This requires creating a clone file and signing that file with a com...
PUBLISHED: 2021-03-04
Xerox AltaLink B8045/B8055/B8065/B8075/B8090 and C8030/C8035/C8045/C8055/C8070 multifunction printers with software releases before 101.00x.099.28200 allow a user with administrative privileges to turn off data encryption on the device, thus leaving it open to potential cryptographic information dis...
PUBLISHED: 2021-03-03
The Java client for the Datadog API before version 1.0.0-beta.9 has a local information disclosure of sensitive information downloaded via the API using the API Client. The Datadog API is executed on a unix-like system with multiple users. The API is used to download a file containing sensitive info...
PUBLISHED: 2021-03-03
resources/public/js/orchestrator.js in openark orchestrator before 3.2.4 allows XSS via the orchestrator-msg parameter.
PUBLISHED: 2021-03-03
GLPI is open source software which stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package. In GLPI before verison 9.5.4, there is a vulnerability within the document upload function (Home > Management > Documents > Add, or /front/documen...