A new type of malware was recently discovered that managed to bypass 56 separate antivirus products before finally being caught.
The bad stuff, when executed, can cause serious damage to your device – and it seems to be so well done that it could be the product of nation-state actors. Opening an email attachment is all it takes to give it enough input to make a mess.
Unit 42, a threatening spy team from Palo Alto, has just published a report on a piece of malware that managed to avoid detection of a massive 56 antivirus products. According to the team, the way the malware was built, packaged and deployed is very similar to various techniques used by the threatening group APT29, also known under the names of Iron Ritual and Cozy Bear. This group was assigned to the Russian Foreign Intelligence Service (SVR), which indicates that the malware in question could be a nationwide affair.
According to Unit 42, the malware was first spotted in May 2022, and it was found hidden inside a rather strange file type – ISO, which is a disk image file used to carry the entire contents of an optical disk. The file comes with a malicious payload that Unit 42 thinks was created using a tool called Brute Ratel (BRC4). BRC4 prides itself on being hard to detect, citing the fact that the tool’s authors reversed antivirus software to make the tool even more hidden. Brute Ratel is especially popular at APT29, adding additional weight to the claim that this malware could be linked to the Russian-based Cozy Bear group.
The ISO file pretends to be the curriculum vitae (summary) of someone named Roshan Bandara. Upon arrival in the recipient’s email inbox, it does nothing, but when clicked, it mounts as a Windows drive and displays a file called “Roshan-Bandara_CV_Dialog”. At this point, it’s easy to cheat – the file appears to be a typical Microsoft Word file, but if you click on it, it runs cmd.exe and proceeds to install BRC4.
When this is done, any number of things could happen to your computer – it all depends on the intentions of the attacker.
Unit 42 notes that finding this malware is critical for a number of reasons. First, there is a high probability that it is linked to APT29. In addition to the reasons listed above, the ISO file was created on the same day as when a new version of BRC4 was released. This suggests that state cyberattack actors could time their attacks to deploy them at the most convenient times. APT29 has also used malicious ISOs in the past, so everything seems to match.
The near-undetectability is critical in itself. For malware to be so covert, a lot of work is needed, and it suggests that such attacks could pose a real threat when used by the wrong team of people.
How can you stay safe?
First of all, it’s important to note that many of these large-scale cyberattacks are made to target organizations – it’s unlikely that individuals would be targeted. However, in this particular case, where the malware is hidden within an ISO file that is presented as a restart, it could probably be opened by people in various HR settings, including those in smaller organizations. Larger companies often have more robust IT sections that would not allow the opening of an unexpected ISO file – but one never knows when something might slip through the cracks.
Given the above, it’s never a bad idea to follow a very simple rule that many of us still sometimes forget – never open attachments from unknown recipients. This can be difficult for an HR department that actively collects summaries, but you, as an individual, can implement that rule into your daily life and not miss anything. It is also not a bad idea to choose one of the best antivirus programs available. However, the greatest security can be achieved by simply browsing carefully and not visiting websites that may not seem too legitimate and also wary of your emails.
Editors’ Recommendations