Government-Grade Stealth Malware In Hands Of Criminals

  /     /     /  
Publicated : 22/11/2024   Category : security


Government-Grade Stealth Malware In Hands Of Criminals


Gyges can be bolted onto other malware to hide it from anti-virus, intrusion detection systems, and other security tools.



Malware originally developed for government espionage is now in use by criminals, who are bolting it onto their rootkits and ransomware.
The malware, dubbed Gyges, was first discovered in March by Sentinel Labs, which
just released an intelligence report
outlining their findings. From the report: Gyges is an early example of how advanced techniques and code developed by governments for espionage are effectively being repurposed, modularized and coupled with other malware to commit cybercrime.
Sentinel was able to detect Gyges with on-device heuristic sensors, but many intrusion prevention systems would miss it. The report states that Gyges evasion techniques are significantly more sophisticated than the payloads attached. It includes anti-detection, anti-tampering, anti-debugging, and anti-reverse-engineering capabilities.
Because of this, the researchers suspected that although Gyges was attached to ransomware (including CryptoLocker) and bot code, it had been originally created as a carrier for a much more sophisticated attack -- something like what a government agency would use to collect intelligence data.
Further analysis bears out that suspicion. Certain components of the code matched that of known malware, which had been used before in targeted attacks for an espionage campaign originating in Russia.
This code is really hard to replicate, says Udi Shamir, Sentinels head of research, so it would be hard to believe that it was created by a different group.
Gyges goes to great lengths to hide itself. For example:
Lots of malware leaps into action when a user is active; thus, sandbox-based security tools often emulate user activity to trigger malware execution. Gyges, on the other hand, waits for user
inactivity
before operating.
It also uses a hooking bypass technique that exploits a log bug in Windows 7 and 8. Security tools could hook into Windows-on-Windows to see what 32-bit applications are trying to run on a 64-bit system. What Gyges can do is start as a 32-bit application, then call the 64-bit system directly, instead of working through Windows-on-Windows, thereby bypassing a hook.
Gyges also uses Yoda, a protector, which obfuscates malicious behavior by first converting the original application into sections, then extracting those sections only when the application is running.
Malware hackers know that at some point theyre going to be detected, says Sentinel Labs CEO Tomer Weingarten. So [the Gyges writers] also started focusing on what happens after theyre detected. Theyre putting in mechanisms to make it very hard for vendors to analyze them.
The malware was used by government agencies to gather information -- eavesdropping, keylogging, capturing screens, and stealing identities and intellectual property. Now it is being used by cybercriminals for committing online banking fraud, encrypting hard drives to collect ransoms, installing rootkits and Trojans, creating botnets, and targeting critical infrastructures.
Gyges seems like an awfully sophisticated bit of kit to tack onto some run-of-the-mill malware. Why put lipstick on a pig?
According to Weingarten, evasion techniques like these can give financially motivated criminals more bang for their buck, better return on their investments, because it helps increase the rate of and duration of infection.
This is definitely a trend were seeing, he said. The evasion code is becoming what malware is all about.
For the complete technical details, download the complete report at
sentinel-labs.com
.

Last News

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Government-Grade Stealth Malware In Hands Of Criminals