DarkUniverse APT Uses Just-in-Time Malware Creation

[silversurfer]

Content source

https://www.securityweek.com/darkuniverse-apt-uses-just-time-malware-creation

A threat actor that has been active for at least eight years has been creating new malware samples just before delivering them to victims, Kaspersky Lab reports. Dubbed DarkUniverse, the adversary is described as the 27th function of a ShadowBrokers script that was included in the 2017 ‘Lost in Translation’ leak and which was designed to check for traces of other APTs on the victim machine.

The malware was being disseminated using spear phishing emails. The messages were carefully tailored for each victim, to entice them into opening an attached malicious Microsoft Office document. An executable file embedded in the document would then begin the malicious routine, which started with dropping two files onto the system.
The first is the updater.mod module, which is implemented as a dynamic-link library with only one exported function, and which ensures communication with the command and control (C&C) server. The second file is glue30.dll, a module that provides keylogging functionality.
Persistence was achieved through a link file placed in the startup folder.
In one campaign, the C&C servers were mostly based on cloud storage at mydrive.ch, with a different account registered for each victim. Additional malware modules and a configuration file were stored in those accounts, Kaspersky reports.

 

[ForgottenSeer 823865]

More and more traditional AVs will be useless:
- zero-minute malware.
- targeted users.

Your only protection? Default-deny and being a useless home users, you are not a valuable target, at worst you may end as a zombie in a botnet.

I don't even mention fileless versions or kernel exploits...