Security News Powerful new APT discovered

mellowtones242

Level 2
Thread author
Verified
Aug 11, 2018
95
"The new APT's malware goes to extraordinary lengths to evade detection and includes the ability to detect and hide from eight different antivirus products, including Sophos, Kaspersky, AVG and BitDefender."

Who are the other 4 AV products is what I want to know.
 
5

509322

"The new APT's malware goes to extraordinary lengths to evade detection and includes the ability to detect and hide from eight different antivirus products, including Sophos, Kaspersky, AVG and BitDefender."

Who are the other 4 AV products is what I want to know.

'The malware didn't just evade antivirus detection, however, it let itself be discovered by different antivirus vendors on preprogrammed dates, likely as a distraction tactic. "What we've got here in this case is a threat actor who has figured out how to determine what antivirus is running on your system and deliberately trigger it in an attempt to distract you,"

The White Company also used commodity malware to confuse security researchers looking for exotic nation-state malware. "With publicly available malware, an analyst can't be sure of authorship," the report wrote, "which in turn has the effect of impeding attempts at attribution. In this context, it also undermines the assumptions of analysts who conduct taxing reviews of complex shellcode and are expecting fancy, custom malware samples." '

Tactics that would send most people on the security forums into a tail spin.

So much for default-allow and Windows.

But home users shouldn't worry... no one in their right mind is about to waste such valuable stuff on home users.
 

mellowtones242

Level 2
Thread author
Verified
Aug 11, 2018
95
I'm just curious but why is knowing what AV's the malware is programmed to\can bypass so important to know ?

Lol nice one @Umbra. Well, I guess it's how you look at it, for me first off why did that particular source not name the others and second were other AV tested and was able to stop the APT if they did who are they? And last are the vendors tested being targeted and why? I tend to read into things a lot so excuse me at times. lol
 
  • Like
Reactions: vtqhtr413
F

ForgottenSeer 58943

Here is the full list. Sophos, BitDefender, ESET, Kaspersky, Avira, Avast!, AVG, and Quick Heal)

All is not what it seems.. Given it wasn't crafted to evade some of the most popular AV's in the world (Norton, McAfee, Trend) can sort of lead you to some conclusions of who designed it, and those 'strange' residual signatures of US (and likely Israeli) actors. AV's really need to consider the security of their own products, which includes using encrypted updates/encrypted update channels, and better self defense modules.

Also security through obscurity sort of applies. It's expensive and time consuming to code bypasses for a wide range of AV products. This coding has to match the targeted actors security profile - in most cases what the largest number of targets use for security is the most logical bypass code. So using some fairly obscure AV/Security product may impart some level of additional security. Especially with the time involved examining those products and developing bypasses.

So Jimbo in Wisconsin won't likely ever see an APT. But he can practically guarantee he won't see any crafted ones if he is using Dr. Web SS12, Mks_VIR, Ikarus or whatever. Some 'suspect actor' in the middle east using Avast is easy pickings in comparison to the same guy using a more obscure security product.

There is something that can be said about not using what everyone else uses.. Waterfox is another good example vs using Chrome or whatever. Not a lot of people out there considering, or bothering to code exploits for Waterfox. ;-)
 
5

509322

There is something that can be said about not using what everyone else uses.

It's one of the smartest, most effective and easily implemented counter-strategies. Not that most would understand it, nor implement it even if they did fully grasp it. They will always insist on using the popular softwares X, Y & Z and make the smash a very easy one.

It doesn't take nation-state stuff to encounter AV evasion. There are more than enough documented cases of it. We had multiple samples that either smashed the AV or simply bypassed it. Either case = pwn. ZBot, was a prime example. It could disable HIPS, the firewall, etc. Smash, smash, smash... but use some solution that was not on the radar, and it turned the tables.
 
F

ForgottenSeer 58943

It's one of the smartest, most effective and easily implemented counter-strategies. Not that most would understand it, nor implement it even if they did fully grasp it. They will always insist on using the popular softwares X, Y & Z and make the smash a very easy one.

It doesn't take nation-state stuff to encounter AV evasion. There are more than enough documented cases of it. We had multiple samples that either smashed the AV or simply bypassed it. Either case = pwn. ZBot, was a prime example. It could disable HIPS, the firewall, etc. Smash, smash, smash... but use some solution that was not on the radar, and it turned the tables.

Agreed. Even something simple, like using an office product (NOT) Microsoft. A PDF Viewer (NOT) one of the big used ones (Adobe, whatever). All of them add to your portfolio of avoidance of commonly seen threats. It's sort of hilarious to open a loaded document in say Zoho Docs or Softmaker and watch it sort of dumb itself out and not know what to do eh?

A lot of people use popular software (increasing threat surface) because 'it's what others they know do', or in many cases, it's what was free or cost them $5 for a 100 device license or something. (or it scores high on XYZ fake testing) But that's what people want, so that's what they get. Off the shelf evasions I guess..
 
5

509322

Agreed. Even something simple, like using an office product (NOT) Microsoft. A PDF Viewer (NOT) one of the big used ones (Adobe, whatever). All of them add to your portfolio of avoidance of commonly seen threats. It's sort of hilarious to open a loaded document in say Zoho Docs or Softmaker and watch it sort of dumb itself out and not know what to do eh?

A lot of people use popular software (increasing threat surface) because 'it's what others they know do', or in many cases, it's what was free or cost them $5 for a 100 device license or something. (or it scores high on XYZ fake testing) But that's what people want, so that's what they get. Off the shelf evasions I guess..

The psychology on the forums is all over the place. And most of it just ain't right.

AV XYZ user will switch to a different AV when it performs poorly in malicious Office document testing --- even though they don't have Office installed.

There is ultra-paranoia on the forums about malicious documents despite the fact that most people here know not to enable macros and can readily identify a malicious document because the vast majority of such documents are so obvious.

Quite a few folks get surprisingly bent out of shape by the best solutions, such as "Uninstall Office and use something else to reduce your attack surface." Meaning their thinking is "Your stuff is broken because a user shouldn't have to ever uninstall and switch to something else."

I get that there is a lot for people to learn. Things that can be counter-intuitive and a challenge to grasp. But the forums really are amateur night. And that is mostly attributable to not ignorance, but instead idealism, stubbornness and a general refusal to accept reality for what it is.
 
D

Deleted member 178

Indeed, companies uses MS Office, so employees have to use it, like photoshop or Autocad. Mastering the popular ones (especially Excel) is already a challenge, people don't have time to learn an alternative just because some security paranoids says so.

About browsers, Chrome is the safest, even blackhats admitted that breaking it requires too much time, it is not worthy.
No way I would replace it by weak FF and even less an FF alternative lol.

What is laughable is those paranoids are still on Windows...looooool
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top