A new malware sample has been detected that primarily targets users in the UK.
Detected by Seculert CTO Aviv Raff, he said that the sample was flagged due to its unusual behaviour when it communicated with its command and control (C&C) server and used a custom-made protocol, and always used ‘a magic code' at the beginning of the conversation.
Raff's research said that the ‘magic' malware is active, persistent and had remained undetected on targeted machines for the past 11 months, and the attackers have targeted several thousands of different entities, most of them located in the United Kingdom. Seculert research found that 78 per cent of targets were in the UK, while six per cent were in Italy and four per cent each in Germany and the United States.Asked why the UK was being targeted specifically, Raff said he did not know why this was, but that this is a persistent attack that went under the radar for almost a year.
He said: “Furthermore, this malware is still under development. We have seen several indications of features that are not yet implemented, and functions that are not yet used by the malware.
“For instance, in case the attacker would like to open a browser on the victim's machine, the malware will pop up on the RDP session for the attacker via a box with the message ‘TODO:Start browser!' ”
Raff admitted that the real intention of the attackers behind this ‘magic' malware is unknown.
“As the malware is capable of setting up a backdoor, stealing information and injecting HTML into the browser, we believe that the current phase of the attack is to monitor the activities of their targeted entities,” he said.
“But, because this malware is also capable of downloading and executing additional malicious files, this might be only the first phase of a much broader attack.”
Asked what he felt made this different from other advanced persistent threats (APTs), which also included a backdoor and data stealing capabilities, Raff said: “We suspect that this is only the first phase of the attack, and like previous ones, the next phase will include a wiper module to cover the attacker's tracks.”