Behind a recent wave of cyberattacks, pelting PCs with FormBook, LokiBot, SmokeLoader malware, is an updated version of a malware-loading technique called TxHollower. It is described as a new “significant threat”, according to researchers, who added, attacks using TxHollower have “spread like wildfire” over the past year.
Ensilo researchers, tracking TxHollower,
said on Thursday, part of the uptick is tied to improved features that allow adversaries to more effectively sneak malware past some antivirus software defenses.
“The samples we are seeing today are far more stealth,” said Udi Yavo, CTO and co-founder of Ensilo in an interview with Threatpost. Improvements include TxHollower being able to lay dormant if AV software is detected and in other cases being able to bypass user-mode hooks used by AV software to detect malware.
TxHollower is what is known as a malware loader, a type of malicious code that specializes in loading a second-stage malware payload onto a victim’s system. Unlike dropper malware, that downloads malicious files from a command-and-control server, loaders hide a malware payload inside the actual loader code.
“This loader is a significant threat, besides [distributing] GandCrab, that closed up shop earlier this year, it delivers over a dozen other payloads like FormBook, LokiBot, SmokeLoader, AZORult, NetWire, njRat and Pony stealer,” wrote Omri Misgav, security research team leader at Ensilo, in a
blog post outlining the infection technique.
threatpost.com
