New Loader Variant Behind Widespread Malware Attacks

silversurfer

Super Moderator
Thread author
Verified
Top Poster
Staff Member
Malware Hunter
Aug 17, 2014
11,203
Behind a recent wave of cyberattacks, pelting PCs with FormBook, LokiBot, SmokeLoader malware, is an updated version of a malware-loading technique called TxHollower. It is described as a new “significant threat”, according to researchers, who added, attacks using TxHollower have “spread like wildfire” over the past year.

Ensilo researchers, tracking TxHollower, said on Thursday, part of the uptick is tied to improved features that allow adversaries to more effectively sneak malware past some antivirus software defenses.

“The samples we are seeing today are far more stealth,” said Udi Yavo, CTO and co-founder of Ensilo in an interview with Threatpost. Improvements include TxHollower being able to lay dormant if AV software is detected and in other cases being able to bypass user-mode hooks used by AV software to detect malware.

TxHollower is what is known as a malware loader, a type of malicious code that specializes in loading a second-stage malware payload onto a victim’s system. Unlike dropper malware, that downloads malicious files from a command-and-control server, loaders hide a malware payload inside the actual loader code.

“This loader is a significant threat, besides [distributing] GandCrab, that closed up shop earlier this year, it delivers over a dozen other payloads like FormBook, LokiBot, SmokeLoader, AZORult, NetWire, njRat and Pony stealer,” wrote Omri Misgav, security research team leader at Ensilo, in a blog post outlining the infection technique.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top