Magic Malware Uses Custom Protocol And A Magic Code Handshake

  /     /     /  
Publicated : 22/11/2024   Category : security

Magic Malware Uses Custom Protocol And A Magic Code Handshake


Researchers spot a nearly year-long attack campaign that employs some special tricks


Newly discovered malware that has been targeting thousands of businesses -- mostly in the financial, education, and telecom industries in the U.K. -- for almost a year employs its own custom protocol and a magic code to communicate with a victims machine.
Aviv Raff, CTO at Seculert, says the attackers behind the campaign are gathering data from the infected businesses and are constantly adding new features to what appears to be a work in progress and unusual malware family.
We currently only have visibility to the current phase of the campaign. I believe that, at the end, the attackers will sell the collected information, or provide access to selected targets, as part of an industrial espionage operation, Raff says. Previous similar operations ended up with a wiper module being downloaded to cover their tracks. This might also be the case here.
The malware uses what it calls magic code for authenticating the infected machine. Without this magic code, the server will not reveal the command intended for victim, Raff says.
It also communicates with the infected machines via a custom-made protocol rather than the standard HTTP for command-and-control. The start of the conversation between the server and the infected machine is the specific code, dubbed magic code by the attackers. Seculert discovered the command-and-control server responding to the malware via the custom protocol to add a new backdoor: Username: WINDOWS, Password: MyPass1234. That gives the attacker remote access to the victims machine.
Raff says its still unclear who is behind it. But given that the malware appears to still be under development, more information on the intent of the attacks should emerge. This campaign is using a custom-made malware and has gone undetected for almost a year now, targeting businesses. The attackers are collecting data from the targeted entities, and keep adding features, which will eventually reveal their real intent behind this campaign, he says.
The full blog post from Seculerts Raff, complete with screenshots and code snippets, is
here
.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ ArcSight prepares for future at user conference post HP acquisition. ◂
Discovered: 07/01/2025
Category: security
▸ Samsung Epic 4G: First To Use Media Hub ◂
Discovered: 07/01/2025
Category: security
▸ Many third-party software fails security tests ◂
Discovered: 07/01/2025
Category: security


Cyber Security Categories
Google Dorks Database
 		Exploits Vulnerability
 		Exploit Shellcodes

CVE List
 		Tools/Apps
 		News/Aarticles

Phishing Database
 		Deepfake Detection
 		Trends/Statistics & Live Infos



Tags:
Magic Malware Uses Custom Protocol And A Magic Code Handshake