This piece of malware was affecting a limited number of hosts belonging to a range of IP addresses marked as sensitive targets.
The malware was found stealing information from various undisclosed government agencies, leaving the research team with the presumption that the attack is part of a high-level cyber-espionage campaign.
It uses various methods to steal information ranging from keylogging to password and cookie theft. The malware is built around a legitimate, yet controversial recovery toolkit provided by Nirsoft, a developer's website of freeware utilities.
Applications provided by Nirsoft are used to recover cached passwords or monitor network traffic by way of powerful command-line interfaces that can be told to run covertly, pegging the toolkit as controversial.
Furthermore, toolkits provided by Nirsoft have been flagged as potential threats to security by the anti-malware industry since they are very easy to abuse and oversimplify the creation of powerful malware.
Email is the primary infection vector, however Bodgan Botezatu, senior e-threat analyst at Bitdefender told SC Media UK, “We don't exclude the possibility of having it delivered via other mechanisms such as water-holing, for instance.”
About 500 infected bots were identified during the initial assessment, based on an incremental counter in the bot registration process. The group's origins were traced back to May 2016 when the first sample was obtained.
When asked what organisations can do to monitor and secure their networks better to avoid infection from this campaign, Botezatu told SC: “This attack relies on the fact that the open source tools, even if they got flagged by the local security solutions, would trigger low non-critical alerts, similar to the ones triggered by aggressive adware, for instance. They are labeled as potentially-unwanted products, not as malware. We advise organisations to treat alerts triggered by the security solutions as potentially serious and investigate such alerts. Last, but not least, organisations should blacklist such applications in order to prevent them from running on endpoints.”