
Researchers have discovered a new sample of malware capable of hiding from more than 50 antivirus programs (Opens in a new tab) Products available in the market now.
Cybersecurity researchers discovered the malware from Unit 42, the Palo Alto Networks threat intelligence team. The team first discovered the strain in May, when it discovered it was built using a Brute Ratel (BRC4) tool.
The developers of BRC4 claim that they even have antivirus products that are reverse engineered, to ensure that their tool avoids detection.
The quality of the design and the speed with which it was distributed among the endpoints of the victims convinced researchers that there was a state-sponsored actor behind the campaign.
Russian styles
While the tool itself is dangerous, researchers have been more interested in its distribution pathway, suggesting the existence of a state-sponsored actor.
The malware is distributed in the form of a fake CV document. A resume is an ISO file that, once installed on a virtual drive, displays something similar to a Microsoft Word document.
While researchers still cannot identify the exact threatening actor behind BRC4, they suspect the existence of the Russian APT29 (AKA Cozy Bear), which has used armed ISOs in the past.
Another hint that a state-sponsored actor is playing is the speed with which the BRC4 was raised. The ISO was created on the same day the latest version of BRC4 was published.
“The analysis of the two samples described in this blog, as well as advanced craftsmanship used in assembling these payloads, shows that malicious cyber actors are beginning to embrace this capability,” Unit 42 wrote in a blog post.
“We believe it is imperative that all security service vendors establish BRC4 detection protections and that all organizations take proactive measures to defend against this tool.”
Across: record (Opens in a new tab)